In my opinion, which may differ from community at large... CAS doesn't provide authorization, but may be used in conjunction of a separate authorization scheme through attributes. We set a "role" attribute, and our applications require various roles. Some of our applications implement additional servlet filters to check the role attribute, other applications implement additional logic using the UserPrincipal.isUserInRole function.
-- Curtis Ruck Anytime: 210-857-1126 On Thu, Mar 14, 2013 at 10:39 AM, Lê, Hà Hong Viêt <[email protected]>wrote: > Hello,**** > > ** ** > > We are currently trying to setup a CAS server in order to manage > authentication for all ours services.**** > > ** ** > > We are also debating CAS’s perimeter : some would like to add some > information useful for authorization in the response after ticket > validation.**** > > ** ** > > For example :**** > > <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>**** > > <cas:authenticationSuccess>**** > > <cas:user>james.bond</cas:user>**** > > <cas:attributes>**** > > <cas:profile>super-user</cas: profile>**** > > <cas:group>007</cas: group>**** > > </cas:attributes>**** > > </cas:authenticationSuccess>**** > > </cas:serviceResponse>**** > > ** ** > > ** ** > > In my opinion, CAS’s attributes are not meant to be used for > authorization. I’ve read the protocol http://www.jasig.org/cas/protocolbut I > could find a quote saying if CAS should or should not be use for > authorization.**** > > Just this one quote : « In the case where one is using CAS for > authorization (probably a bad idea in the first place) ... », on this page > http://www.jasig.org/cas/client-integration/gateway **** > > ** ** > > Could somebody from the community give us his feedback please ? Thanks !** > ** > > ** ** > > Cheers,**** > > ** ** > > Hong Viet**** > > ** ** > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
