Hello Andrew,
Thank you for your response.
I don't want to move to another security mechanism at this point,
because I only need to cassify these apps to be able to access them
from a portal, so not do a complete rearchitecture of them. Changing
web.xml and introducing a few jars is about as far as I wish to go.
With respect to what you say about a custom JAAS module, do you mean
something like is described at
http://www.kopz.org/public/documents/tomcat/jaasintomcat.html
?
(because technically that seems very doable, but already involves a lot
of deployment config changes so I hoped to stay away from that)
Kind regards,
--Sander.
Andrew Feller schreef:
Sander,
Most people use Spring Security 2.0 to incorporate CAS and Servlet
Container Management. ( http://static.springsource.org/spring-security/site/index.html
) If that doesn’t meet your needs, then you need to create a custom
JAAS module that can register users and their roles with the servlet
container.
HTH,
A-
On 7/9/09 11:43 AM, "Sander Bos" <[email protected]> wrote:
Hello,
I would like to know how to/ get some pointers on how to CASsify an
application that protects resources based on roles. More specifically,
uses security-constraint's in web.xml to protect resources. To be clear
I mean this:
<security-constraint>
<web-resource-collection>
<url-pattern>/notforeveryCASauthenticateduser/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>SuperSpecialAdmin</role-name>
</auth-constraint>
</security-constraint>
I understand that CAS only deals with the authentication part, but to
CASsify an existing application fully I still have to deal with roles.
And I am totally confused as to where to set things now.
The particular application in question runs in JBoss, and currently
authentication/ role determination happens through a login-module which
has a form that posts to j_security_check, and that then gets handled
by a LoginModule configured in JBoss, which has a chance to set the
roles.
If I switch to CAS servlets, where can I set the roles in a way that
they are picked by by a security-constraint configured in web.xml (I
understand I have to code it myself, and I can determine the role-names
based on a username in code if CAS tells me the username, I just don't
understand where I would have to place such code so that the roles
would be picked up).
Can I even use security-constraint in combination with CAS? For instance
http://tp.its.yale.edu/pipermail/cas/2008-March/007725.html suggests that
security-constraints will be checked before the CAS filters are even
executed?
I would be grateful for any tips.
Kind regards,
--Sander.
--
Andrew Feller, Analyst
LSU University Information Services
200 Frey Computing Services Center
Baton Rouge, LA 70803
Office: 225.578.3737
Fax: 225.578.6400
--
You are currently subscribed to [email protected] as: [email protected]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as: [email protected]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
|
