|
Hello, I would like to know how to/ get some pointers on how to CASsify an application that protects resources based on roles. More specifically, uses security-constraint's in web.xml to protect resources. To be clear I mean this: <security-constraint> <web-resource-collection> <url-pattern>/notforeveryCASauthenticateduser/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>SuperSpecialAdmin</role-name> </auth-constraint> </security-constraint> I understand that CAS only deals with the authentication part, but to CASsify an existing application fully I still have to deal with roles. And I am totally confused as to where to set things now. The particular application in question runs in JBoss, and currently authentication/ role determination happens through a login-module which has a form that posts to j_security_check, and that then gets handled by a LoginModule configured in JBoss, which has a chance to set the roles. If I switch to CAS servlets, where can I set the roles in a way that they are picked by by a security-constraint configured in web.xml (I understand I have to code it myself, and I can determine the role-names based on a username in code if CAS tells me the username, I just don't understand where I would have to place such code so that the roles would be picked up). Can I even use security-constraint in combination with CAS? For instance http://tp.its.yale.edu/pipermail/cas/2008-March/007725.html suggests that security-constraints will be checked before the CAS filters are even executed? I would be grateful for any tips. Kind regards, --Sander. -- |
- [cas-user] CASsify application with role-based security con... Sander Bos
- Re: [cas-user] CASsify application with role-based sec... Andrew Feller
- Re: [cas-user] CASsify application with role-based... Sander Bos
- Re: [cas-user] CASsify application with role-b... Andrew Feller
- Re: [cas-user] CASsify application with role-based sec... Marvin Addison
