Re: [cas-user] Controlling access to services.

Thu, 19 Apr 2012 15:19:49 -0700 

Hi.  Got a few followup questions related to this.

Someone had mentioned this JSON-based Services Registry recently on
this list, so I had asked for the code and deployed it.

It worked -- that is, CAS still worked, I could log in -- but I found
that I had lost the attributes I had set up being passed to my CAS
client (I have a test site set up with mod_auth_cas -- so using
org.jasig.cas.services.InMemoryServiceRegistryDaoImpl as the
serviceRegistryDao, I got the attributes, but using this JSON-based
Services Registry, I didn't).  Any idea what's going on with that --
why they're not being sent, and what I can do to fix that?

Second, you mention that with this configuration, the authzAttributes
must be satisfied by the user.  Is some additional code/configuration
required for that to work?  With what I have deployed, I don't see how
that would get checked (e.g., I don't see anything that's
using/checking extraAttributes or authzAttributes).

Thanks.

Milt Epstein


On Mon, 16 Apr 2012, William G. Thompson, Jr. wrote:

> Hi Dave,
> 
> The solution is based on a new JSON-based Services Registry and some
> custom logic in the login flow.  The JSON services config specifies
> which user attributes must be present in order to grant a service
> ticket.  If the user is unauthorized they get redirected to an
> unauthorizedRedirectUrl.
> 
> 
> The JSON looks like this:
>       "services":[
>                       {
>                        "id":"1",
>                        "serviceId":"https://www.google.com";,
>                        "name":"GOOGLE",
>                        "description":"Test Google service",
>                        "extraAttributes":{
>                               "authzAttributes":{
>                                       
> "eduPersonAffiliation":["student_current", "alumni"]
>                                        },
>                                       
> "unauthorizedRedirectUrl":"https://www.google.com?q=un";
>                                }
> 
> This says the user must have an eduPersonAffiliation of either
> student_current or alumni, otherwise they get redirected to
> https://www.google.com?q=un.
> 
> The JSON Registry is available here:
> https://github.com/Unicon/cas-addons/tree/master/src/main/java/net/unicon/cas/addons/serviceregistry
> 
> Hopefully we'll have a session on this at the Jasig/Sakai conference in June.
> 
> Best
> Bill
[ ... ]

Milt Epstein
Applications Developer
Graduate School of Library and Information Science (GSLIS)
University of Illinois at Urbana-Champaign (UIUC)
[email protected]

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to