> I don't understand the last example
> "Leveraging Attribute Release for Role Data". Would that allow me not to
> have to specify the users?
Yes. You'd need to release attributes to the service, which are
typically delivered by SAML 1.1. Then you can specify the name of the
attribute that contains role names that will be subsequently used for
protecting resource URIs. The following would go in the context
descriptor, for example:
<Realm
className="org.jasig.cas.client.tomcat.v6.AssertionCasRealm"
roleAttributeName="member"
/>
<Valve
className="org.jasig.cas.client.tomcat.v6.Saml11Authenticator"
encoding="UTF-8"
casServerLoginUrl="https:/cas.example.com/cas/login"
casServerUrlPrefix="https:/cas.example.com/"
serverName="cas-client.example.com"
/>
You would then leverage role names for access control as normal in Tomcat:
<security-constraint>
<auth-constraint>
<role-name>member=farmers,ou=Groups,dc=berkeley,dc=edu</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>SAML11</auth-method>
</login-config>
<security-role>
<description>
The role that is required to log in to the Manager Application
</description>
<role-name>member=farmers,ou=Groups,dc=berkeley,dc=edu</role-name>
</security-role>
> A further complication is that since my web app is a service, it would
> need to accept CAS proxy tickets. How would THAT work with users and roles?
Proxy is not supported by the Tomcat integration components. It can
probably be done without too much work. Patches welcome.
M
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
