Typically, you'd let the application itself handle authorization. By having released the proper attributes back to the app, you can then independently make decisions as for which attr value for the authenticated userid may grant access to the app. If your app is Java-based, you can take advantage of isUserInRole() function to make that decision [1].
That said, we have also managed to extend CAS to directly implement attribute-based access control for apps. This webinar might be useful to review [2]. [1] https://wiki.jasig.org/pages/viewpage.action?pageId=47874068 [2] http://unicon.adobeconnect.com/p6lj8afl7h3/ > -----Original Message----- > From: Juan Zafrilla [mailto:[email protected]] > Sent: Tuesday, April 16, 2013 5:30 AM > To: [email protected] > Subject: RE: [cas-user] How to get service parameter in custom > AuthenticationHandler? > > Thanks Misagh, > > I have configured multiple authenticationHandlers with diferent > searchBase. > But, for example: > - A system with 4 Web Application (Represented by a Group in LDAP > Structure) > - 3 Users: > > User1 is memberOf Group1 and Group2. > User2 is memberOf Group3 > User3 is memberOf Group3 and Group4 > > Using multiple AuthenticationHandlers with differents searchBase values, I > think this occurs: > User1 try to access WebApp3 (Group3), and, all authentication handlers > are > executed (is that right??), and authenticationHandler 1 > (searchBase=cn=Group1,ou=Groups,dc=example) allow the user go to WebApp3. > Do > you know what I mean? > > I need to protect the access on each webapplication/group. > > Any ideas? > > Thanks!! > > -----Mensaje original----- > De: Misagh Moayyed [mailto:[email protected]] Enviado el: martes, 16 de > abril de 2013 14:00 > Para: [email protected] > Asunto: RE: [cas-user] How to get service parameter in custom > AuthenticationHandler? > > There might be "easier" ways to do this: > > - use the existing ldap authentication handlers and configure each with > the > appropriate search base > - use a single and existing ldap authentication handler, but expand your > search base to include every and all groups > > Pros and cons to each approach of course. Otherwise, you are going to have > modify the service metadata to include the new setting. > > That said, I think it's interesting to think about how the authentication > layer may have access to incoming services. I haven't yet evaluated this > thoroughly, but it would potentially prove useful for CAS-1270 [1] > > Misagh > > [1] https://issues.jasig.org/browse/CAS-1270 > > > -----Original Message----- > > From: Juan [mailto:[email protected]] > > Sent: Tuesday, April 16, 2013 2:24 AM > > To: [email protected] > > Subject: [cas-user] How to get service parameter in custom > > AuthenticationHandler? > > > > How to get service parameter Single Sign On (Jasig CAS) LDAP Hi All!! > > I want to create a custom AuthenticationHandler (Something like > > BindLdapAuthenticationHandler) to modifify searchBase Attribute for > > lookup LDAP, but, i haven't found the right way to get 'service' > > paramater and determine the searchBase property > > (ou=Group1,dc=example,dc=com when service is WebAppUrl1 and > > ou=Group2,dc=example,dc=com when service is WebAppUrl2). > > > > Any ideas? Thanks in advance! > > > > -- > > You are currently subscribed to [email protected] as: > > [email protected] To unsubscribe, change settings or access > > archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] To unsubscribe, change settings or access archives, > see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > You are currently subscribed to [email protected] as: > [email protected] To unsubscribe, change settings or access archives, > see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
