I found out that it shoud be possible to directly
map AuthenticationHandlers to CredentialsToPrincipalResolvers
I believe you're referring to
http://developer.jasig.org/source/browse/jasigsvn/cas3/trunk/cas-server-core/src/main/java/org/jasig/cas/authentication/DirectMappingAuthenticationManagerImpl.java?r=42776
, is that correct? I don't think this will help you any since the
core implementation of that class isn't any different from that of the
default authentication manager, AuthenticationManagerImpl, where
credentials are tested by _class_. In the cases you cited, AD, LDAP,
and MySQL, you're only using a single credentials type,
UsernamePasswordCredentials, to perform authentication. In fact, such
a use case as yours would probably _preclude_
DirectMappingAuthenticationManagerImpl since you'd only be able to
specify a single auth handler in the map of classes to auth handlers.
I suppose you could create custom credentials classes, but that seems
awkward since they are all essentially username/password
authentication mechanisms.
Obviously
that'd be way more performant (not to mention safer data-consistency
wise)
then having to loop through the entire set of
CredentialsToPrincipalResolvers all the time.
I don't think the iterative testing of handlers is too bad. For what
it loses in absolute performance, it makes up for in flexibility. I
know we benefit from the iterative handling in our environment at
Virginia Tech. It's trivial to set up vastly different forms of
authentication credentials merely by chaining auth handlers, which
allows us to auth with both username/password and X.509 client
certificates. Yours is more a problem of merging 3 different username/
password data sources than allowing fundamentally different forms of
authentication, which is where the design shines.
M
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
