> > And then... what happens? Is a ticket created, and the application > (whichever that may be) can then use the ticket to retrieve the attributes for > the information it needs?
A TGT is created to establish the Single Signon Session with the client. An ST (service ticket) is created for a specific application to enable retrieving the identity and attributes of the client (one time use. This picture might help: http://goo.gl/E75V7O > What is set in the REMOTE_USER on the client when I use the default > configuration? Nothing? Or does the application (i.e. the client of the CAS > server) request the username for REMOTE_USER? There are a number of "CAS Clients" and each has a different way of releasing the subject and attributes to the protected application. The "mod_auth_cas" apache module will use HTTP headers and also the apache "REMOTE_USER" environment variable which can be used by apache itself and is passed on in AJP proxying. Which client are you using? > > The reason I ask for this is... Would a resolver need to retrieve information > by > using the credential given, for example: > > 1. I have a UsernamePasswordCredential (from the login form) > 2. I have the RADIUS authenticator that returns "yes, you're > authenticated" > 3. As part of the successful authentication, the RADIUS server also > returns > a bunch of attributes, but from what I can see, the authenticator is not > interested in those attributes, and simply looks at the authentication result > (yes they successfully authenticated or not). > > Must I then use a credential-to-principal resolver that 'magically' retrieves > those attributes (possibly by authenticating a second time and retrieving > those attributes), or can I create an authenticator that feeds those > attributes > directly into the attributeRepository, so that any CAS client after that can > retrieve the username for the user that authenticated? Or am I mixing up the > objects here? This question comes up on occasion; others can answer better. I think that in CAS 4.0, these steps (authentication and attribute retrieval) are combined, so you don't have the same issue. > > In CAS 3.5.2 I tried to change the credentials object, but I think it causes a > session exception (I see an exception every time after a successful > authentication with this handler occurs, it's not the handler itself that > dies). > In CAS 4.0.0 I see it's now a username string and password string that are > passed in (presumably to prevent the changing of the username and > password inside the authenticator), so I'm trying to find the right way to do > this. > > Any suggestions are very much appreciated! :-) > > Stefan Paetow > Software Engineer > +44 1235 778812 > Diamond Light Source Ltd. > Diamond House, Harwell Science and Innovation Campus Didcot, > Oxfordshire, OX11 0DE > > > > > -- > This e-mail and any attachments may contain confidential, copyright and or > privileged material, and are for the use of the intended addressee only. If > you are not the intended addressee or an authorised recipient of the > addressee please notify us of receipt by returning the e-mail and do not use, > copy, retain, distribute or disclose the information in or attached to the e- > mail. > Any opinions expressed within this e-mail are those of the individual and not > necessarily of Diamond Light Source Ltd. > Diamond Light Source Ltd. cannot guarantee that this e-mail or any > attachments are free from viruses and we cannot accept liability for any > damage which you may sustain as a result of software viruses which may be > transmitted in or with the message. > Diamond Light Source Limited (company no. 4375679). Registered in England > and Wales with its registered office at Diamond House, Harwell Science and > Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom > > > > > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: > david.oh...@emc.com > To unsubscribe, change settings or access archives, see http://www.ja- > sig.org/wiki/display/JSG/cas-dev > -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
