If your web service was *only* going to use those attributes for coarse grained authorization, then you might consider implementing coarse-grained attribute-driven access control within the CAS server such that only users with appropriate attributes are able to obtain tickets for authentication to your web service. That would let you dodge having to consume user attributes from CAS in your web service implementation itself.
While Tomcat Realm is one way to integrate to rely upon CAS in your Java web application, it's by no means the only available strategy. Fronting with Apache httpd and using mod_auth_cas. Apache Shiro. Spring Security. Java CAS Client filters in web.xml. Any of that might give you a path to accepting proxy tickets. I do agree the Tomcat integration components ought to evolve to accept Proxy Tickets, and that that evolution wouldn't be a big lift. Kind regards, Andrew On Wed, Feb 13, 2013 at 9:15 AM, Marvin Addison <[email protected]>wrote: > > I don't understand the last example > > "Leveraging Attribute Release for Role Data". Would that allow me not to > > have to specify the users? > > Yes. You'd need to release attributes to the service, which are > typically delivered by SAML 1.1. Then you can specify the name of the > attribute that contains role names that will be subsequently used for > protecting resource URIs. The following would go in the context > descriptor, for example: > > <Realm > className="org.jasig.cas.client.tomcat.v6.AssertionCasRealm" > roleAttributeName="member" > /> > <Valve > className="org.jasig.cas.client.tomcat.v6.Saml11Authenticator" > encoding="UTF-8" > casServerLoginUrl="https:/cas.example.com/cas/login" > casServerUrlPrefix="https:/cas.example.com/" > serverName="cas-client.example.com" > /> > > You would then leverage role names for access control as normal in Tomcat: > > <security-constraint> > <auth-constraint> > <role-name>member=farmers,ou=Groups,dc=berkeley,dc=edu</role-name> > </auth-constraint> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > <login-config> > <auth-method>SAML11</auth-method> > </login-config> > > <security-role> > <description> > The role that is required to log in to the Manager Application > </description> > <role-name>member=farmers,ou=Groups,dc=berkeley,dc=edu</role-name> > </security-role> > > > A further complication is that since my web app is a service, it would > > need to accept CAS proxy tickets. How would THAT work with users and > roles? > > Proxy is not supported by the Tomcat integration components. It can > probably be done without too much work. Patches welcome. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
