Hi David, Thanks for your patience!
> > What is 'the subject'? Is that the principal object? > I mean the "username". Ahh I see. > > If so, can the principal differ from the actual credentials used, for > > example, if I use an authenticator to authenticate 'b...@uni.edu', the > > principal would not necessarily be 'b...@uni.edu' or even 'bob', but > perhaps 's55694', correct? > > Yes, that is correct. Ok. That helps me a lot! :-) > > That depends on the credential-to-principal resolver, right? > > > Yes. Ok. > If they are all behind apache, then they you can use mod_auth_cas and > the user and attributes will be released in HTTP headers. Otherwise > you can use different CAS clients for each and each will have a way of > getting the username and attributes into the application's environment. Ok. I'll see what I get with mod_auth_cas to see what it spits out. > > > This question comes up on occasion; others can answer better. I > > > think that in CAS 4.0, these steps (authentication and attribute > > > retrieval) are combined, so you don't have the same issue. After spelunking deeper into the code, it does indeed appear to be the case that there are no more credential-to-principal resolvers. The RadiusAuthenticationHandler returns a SimplePrincipal based on the username, which means I can return something different if that's what I get back from RADIUS. This is very much going in the direction I was hoping for. With Regards Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
