You can also get attributes in the normal CAS validate calls with a fairly modest customization. See: https://issues.jasig.org/browse/CAS-655 This feature is slated to be included in CAS4.0 and the updated CAS protocol spec. There's also a cas-addon for a JSON response that you might find interesting: https://github.com/Unicon/cas-addons/wiki/Configuring-JSON-Validation-Response
It is true that CAS was originally designed with only authN in mind, and I would maintain that ultimately authZ is the responsibility of the service. However, over the years authZ concerns have started to sneak into CAS from the simple ability to relay attributes (including groups, entitlements, etc), to custom redirects based on service outtage, to customizations that deny service tickets to individuals based on some per service authZ rule (effectively implementing course-grained access control). Best, Bill On Wed, Apr 3, 2013 at 9:11 AM, Marvin Addison <[email protected]> wrote: >> My intention is to use the LDAP groups to populate the authorities in CAS. >> So I could use this to implement authorization. > > CAS does not do authz, but it does release attributes to the client > via SAML11 to support the client making authz decisions. > Implementation sketch follows: > > 1. Configure a principal resolver that queries the directory for group > information [1] > 2. Ensure service management is configured to release attributes to > the applications that need it [2] > 3. Consume attributes by configuring clients to speak SAML [3] > 4. Do client-specific integration to map attributes onto roles/granted > authorities. > > M > > [1] > https://wiki.jasig.org/display/CASUM/Attributes#Attributes-PopulatePrincipal'sattributeswithLDAPrepository > [2] https://wiki.jasig.org/display/CASUM/Services+Management > [2] https://wiki.jasig.org/display/CASUM/SAML+1.1 > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
