I apologise ahead of time for the lengthy post that follows, but I'm still failing to understand properly how CAS hangs together, specifically the authentication and the principals portions.
The way I understand this is this: 1. We have the CAS server, which has an authentication manager. 2. The authentication manager has a list of authentication handlers and a list of credential-to-principal resolvers, and can accept various types of credentials. 3. For each authentication request, the authentication manager tries each authentication handler until one says 'yes, I can authenticate these credentials' and it successfully authenticates, or the list is exhausted. 4. Then, depending on the type of authentication manager used (I noticed there are at least 3 by default), the authentication manager then either tries each credential-to-principal resolver that can resolve the principal from the credentials, or uses the corresponding credential-to-principal resolver for the authentication handler that successfully authenticated. 5. The credential-to-principal resolver in turn resolves the credentials into a principal, which in turn is the username information in the credential plus a list of attributes that belong to that username. Is this correct? And then... what happens? Is a ticket created, and the application (whichever that may be) can then use the ticket to retrieve the attributes for the information it needs? What is set in the REMOTE_USER on the client when I use the default configuration? Nothing? Or does the application (i.e. the client of the CAS server) request the username for REMOTE_USER? The reason I ask for this is... Would a resolver need to retrieve information by using the credential given, for example: 1. I have a UsernamePasswordCredential (from the login form) 2. I have the RADIUS authenticator that returns "yes, you're authenticated" 3. As part of the successful authentication, the RADIUS server also returns a bunch of attributes, but from what I can see, the authenticator is not interested in those attributes, and simply looks at the authentication result (yes they successfully authenticated or not). Must I then use a credential-to-principal resolver that 'magically' retrieves those attributes (possibly by authenticating a second time and retrieving those attributes), or can I create an authenticator that feeds those attributes directly into the attributeRepository, so that any CAS client after that can retrieve the username for the user that authenticated? Or am I mixing up the objects here? In CAS 3.5.2 I tried to change the credentials object, but I think it causes a session exception (I see an exception every time after a successful authentication with this handler occurs, it's not the handler itself that dies). In CAS 4.0.0 I see it's now a username string and password string that are passed in (presumably to prevent the changing of the username and password inside the authenticator), so I'm trying to find the right way to do this. Any suggestions are very much appreciated! :-) Stefan Paetow Software Engineer +44 1235 778812 Diamond Light Source Ltd. Diamond House, Harwell Science and Innovation Campus Didcot, Oxfordshire, OX11 0DE -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
