Sander, Most people use Spring Security 2.0 to incorporate CAS and Servlet Container Management. ( http://static.springsource.org/spring-security/site/index.html ) If that doesn¹t meet your needs, then you need to create a custom JAAS module that can register users and their roles with the servlet container.
HTH, A- On 7/9/09 11:43 AM, "Sander Bos" <[email protected]> wrote: > > Hello, > > I would like to know how to/ get some pointers on how to CASsify an > application that protects resources based on roles. More specifically, uses > security-constraint's in web.xml to protect resources. To be clear I mean > this: > <security-constraint> > <web-resource-collection> > <url-pattern>/notforeveryCASauthenticateduser/*</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>SuperSpecialAdmin</role-name> > </auth-constraint> > </security-constraint> > > > I understand that CAS only deals with the authentication part, but to CASsify > an existing application fully I still have to deal with roles. And I am > totally confused as to where to set things now. > > The particular application in question runs in JBoss, and currently > authentication/ role determination happens through a login-module which has a > form that posts to j_security_check, and that then gets handled by a > LoginModule configured in JBoss, which has a chance to set the roles. > > If I switch to CAS servlets, where can I set the roles in a way that they are > picked by by a security-constraint configured in web.xml (I understand I have > to code it myself, and I can determine the role-names based on a username in > code if CAS tells me the username, I just don't understand where I would have > to place such code so that the roles would be picked up). > > Can I even use security-constraint in combination with CAS? For instance > http://tp.its.yale.edu/pipermail/cas/2008-March/007725.html suggests that > security-constraints will be checked before the CAS filters are even executed? > > I would be grateful for any tips. > > Kind regards, > > --Sander. > -- Andrew Feller, Analyst LSU University Information Services 200 Frey Computing Services Center Baton Rouge, LA 70803 Office: 225.578.3737 Fax: 225.578.6400 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
