I have an upcoming requirement to be able to update person attributes at
service validation time. One of our attributes is a list of groups
associated with a user which are used for authorization decisions. Our
usage patterns are such that the list of groups may change between the
time a user logs into her first application and when she logs into
subsequent applications. Since some of the applications rely on this to
get group definitions (since they don't have access to our user
information database), this can cause a newly-authorized user to
erroneously be denied access.
Looking at the code, it looks like the way to do this by providing an
alternate implementation of the CentralAuthenticationService that
delegates to the default implementation for everything but the
validateServiceTicket method, which would do what I need. Does that
sound reasonable/sane? If you were an deployer, would you want to
maintain something like that?
Thanks,
Rich
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev