Hi, If you do the check on serviceType in an authentication handler, it will be done just the first time the user enters credentials. and the next time the user tries to access another application, no check will be performed. I imagine that's why your mechanism doesn't work.
You have two steps in CAS server : - authentication : it happens just once during the SSO session - access to applications (generates service tickets) : it happens each time the user accesses an application. So to do some control and distinguish access between applications, you have to store / compute some information at login and check if it's ok every time a user tries to access an application, this happens through the generation of a service ticket in the GenerateServiceTicketAction, so that's why I was talking about a customized class for that. But I see a biggest problem here : your SQL query is based directly on the request st parameter appended to the /cas/login url. I don't see any check on the service itself. You set a security level on the client side by a url parameter, the st=4. It means that you will call the CAS server for authentication with a /cas/login?st4&service=myfirstservice url. Nothing prevents me from calling the CAS server by changing manually the url to /cas/login?st=2&service=myfirstservice url and setting another value for the st parameter. It looks like a security breach to me. Hope I miss something. Best regards, Jérôme -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
