I have an upcoming requirement to be able to update person attributes at service validation time. One of our attributes is a list of groups associated with a user which are used for authorization decisions. Our usage patterns are such that the list of groups may change between the time a user logs into her first application and when she logs into subsequent applications. Since some of the applications rely on this to get group definitions (since they don't have access to our user information database), this can cause a newly-authorized user to erroneously be denied access.

Looking at the code, it looks like the way to do this by providing an alternate implementation of the CentralAuthenticationService that delegates to the default implementation for everything but the validateServiceTicket method, which would do what I need. Does that sound reasonable/sane? If you were an deployer, would you want to maintain something like that?

Thanks,
Rich

--
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-dev

Reply via email to