> I understand that CAS only deals with the authentication part, but to > CASsify an existing application fully I still have to deal with roles. And I > am totally confused as to where to set things now.
That is correct, CAS has no direct support for authorization. But it can provide data, e.g. for authorization, to clients via the attribute release mechanism, http://www.ja-sig.org/wiki/display/CASUM/Attributes. It is entirely within the purview of the client application to consume the data and make authorization decisions. That's why Andrew suggested a framework such as Spring security. You don't have to use that, but you do have to use _something_. Just happens that Spring Security is a good something. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
