No, the registry code does not include the authorization checks. That code is implementation specific and needs to be developed.
If anything, can you post your regular service registry DAO config as well as JSON registry config, in order to see what's going on? Dmitriy. Sent from my iPad On Apr 19, 2012, at 6:19 PM, Milt Epstein <[email protected]> wrote: > Hi. Got a few followup questions related to this. > > Someone had mentioned this JSON-based Services Registry recently on > this list, so I had asked for the code and deployed it. > > It worked -- that is, CAS still worked, I could log in -- but I found > that I had lost the attributes I had set up being passed to my CAS > client (I have a test site set up with mod_auth_cas -- so using > org.jasig.cas.services.InMemoryServiceRegistryDaoImpl as the > serviceRegistryDao, I got the attributes, but using this JSON-based > Services Registry, I didn't). Any idea what's going on with that -- > why they're not being sent, and what I can do to fix that? > > Second, you mention that with this configuration, the authzAttributes > must be satisfied by the user. Is some additional code/configuration > required for that to work? With what I have deployed, I don't see how > that would get checked (e.g., I don't see anything that's > using/checking extraAttributes or authzAttributes). > > Thanks. > > Milt Epstein > > > On Mon, 16 Apr 2012, William G. Thompson, Jr. wrote: > >> Hi Dave, >> >> The solution is based on a new JSON-based Services Registry and some >> custom logic in the login flow. The JSON services config specifies >> which user attributes must be present in order to grant a service >> ticket. If the user is unauthorized they get redirected to an >> unauthorizedRedirectUrl. >> >> >> The JSON looks like this: >> "services":[ >> { >> "id":"1", >> "serviceId":"https://www.google.com";, >> "name":"GOOGLE", >> "description":"Test Google service", >> "extraAttributes":{ >> "authzAttributes":{ >> "eduPersonAffiliation":["student_current", "alumni"] >> }, >> "unauthorizedRedirectUrl":"https://www.google.com?q=un"; >> } >> >> This says the user must have an eduPersonAffiliation of either >> student_current or alumni, otherwise they get redirected to >> https://www.google.com?q=un. >> >> The JSON Registry is available here: >> https://github.com/Unicon/cas-addons/tree/master/src/main/java/net/unicon/cas/addons/serviceregistry >> >> Hopefully we'll have a session on this at the Jasig/Sakai conference in June. >> >> Best >> Bill > [ ... ] > > Milt Epstein > Applications Developer > Graduate School of Library and Information Science (GSLIS) > University of Illinois at Urbana-Champaign (UIUC) > [email protected] > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
