I think that the proxy use case is an extension of the existing use cases. May be all use cases are not enough clear for me. You are right when you say that chained authentications are meaningful only for proxy chains, but I think that we have to handle them, considering that proxy ticket are created and validated through the same method. I saw this interface as a fantastic point where to plug my access control to the services, and it works very well for non proxy use case, it denies the creation of the service ticket without require specific validations afterwards. I think that we can simply add a method to AuthenticationPolicy interface with this signature: Authentication isSatisfiedBy(List<Authentication> authentication); In the method getAuthenticationSatisfiedByPolicy of the CentralAuthenticationServiceImpl, we can add a third check in case of failure of the previous two, invoking the above method. All yet existent AuthenticationPolicy will return null in manner to preserve the original behavior. If you agree with me and you want, I could take care of this development, otherwise I really appreciate your advice about how alternatively implement this feature
-- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
