> > There are two features I miss when switching to using an AssertionCasRealm. > > 1. The commonRole property allows me to easily assign a role to all > authenticated users. > 2. While I can't find any mention of this in the JNDIRealm > documentation, roleName="cn" causes the CN attribute to be extracted > from the group and used as the role name rather than the DN. This is useful > to me because Orbeon Forms doesn't currently allow commas in role names. > > 1. AssertionCasRealm has no support for statically-defined role data, and I'm somewhat skeptical of the general value of a feature like that. There's no security value for a role attribute that all authenticated users have, so it's simply a tag. I can imagine you need it for integration purposes, but that feels like a special case instead of a general capability. 2. The CAS realm simply sets the attribute based on the directory value, so if it's DN in the directory that's what you get. I can see that the ability to transform attributes may have general value, for example a regex expression with a capture where the capture value is used for the role attribute. That said, I think parsing DNs is potentially dangerous, and I've seen it done wrong on many if not most occasions.
wondering if you would be receptive to patches implementing options that > could improve substituteability with JNDIRealm. > Absolutely. Please file issues in Jira and submit GitHub pull requests. > I am also looking for direction on how I might best implement those > changes. > I'm lukewarm on 1 as I said, but it should be straightforward to implement. I would expect a configuration attribute that accepts a comma-delimited list of static roles to assign all authenticated principals. As for 2, I would recommend the regex capture-based approach I mentioned. M -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
