I've pushed new role-based authorization facility to cas-addons. Should be part of 1.5 release (some time in May):
https://github.com/Unicon/cas-addons/wiki/Role-Based-Services-Authorization Cheers, Dmitriy. On Apr 18, 2013, at 10:14 AM, Misagh Moayyed <[email protected]> wrote: > Typically, you'd let the application itself handle authorization. By having > released the proper attributes back to the app, you can then independently > make decisions as for which attr value for the authenticated userid may > grant access to the app. If your app is Java-based, you can take advantage > of isUserInRole() function to make that decision [1]. > > That said, we have also managed to extend CAS to directly implement > attribute-based access control for apps. This webinar might be useful to > review [2]. > > [1] https://wiki.jasig.org/pages/viewpage.action?pageId=47874068 > [2] http://unicon.adobeconnect.com/p6lj8afl7h3/ > >> -----Original Message----- >> From: Juan Zafrilla [mailto:[email protected]] >> Sent: Tuesday, April 16, 2013 5:30 AM >> To: [email protected] >> Subject: RE: [cas-user] How to get service parameter in custom >> AuthenticationHandler? >> >> Thanks Misagh, >> >> I have configured multiple authenticationHandlers with diferent >> searchBase. >> But, for example: >> - A system with 4 Web Application (Represented by a Group in LDAP >> Structure) >> - 3 Users: >> >> User1 is memberOf Group1 and Group2. >> User2 is memberOf Group3 >> User3 is memberOf Group3 and Group4 >> >> Using multiple AuthenticationHandlers with differents searchBase values, I >> think this occurs: >> User1 try to access WebApp3 (Group3), and, all authentication handlers >> are >> executed (is that right??), and authenticationHandler 1 >> (searchBase=cn=Group1,ou=Groups,dc=example) allow the user go to WebApp3. >> Do >> you know what I mean? >> >> I need to protect the access on each webapplication/group. >> >> Any ideas? >> >> Thanks!! >> >> -----Mensaje original----- >> De: Misagh Moayyed [mailto:[email protected]] Enviado el: martes, 16 de >> abril de 2013 14:00 >> Para: [email protected] >> Asunto: RE: [cas-user] How to get service parameter in custom >> AuthenticationHandler? >> >> There might be "easier" ways to do this: >> >> - use the existing ldap authentication handlers and configure each with >> the >> appropriate search base >> - use a single and existing ldap authentication handler, but expand your >> search base to include every and all groups >> >> Pros and cons to each approach of course. Otherwise, you are going to have >> modify the service metadata to include the new setting. >> >> That said, I think it's interesting to think about how the authentication >> layer may have access to incoming services. I haven't yet evaluated this >> thoroughly, but it would potentially prove useful for CAS-1270 [1] >> >> Misagh >> >> [1] https://issues.jasig.org/browse/CAS-1270 >> >>> -----Original Message----- >>> From: Juan [mailto:[email protected]] >>> Sent: Tuesday, April 16, 2013 2:24 AM >>> To: [email protected] >>> Subject: [cas-user] How to get service parameter in custom >>> AuthenticationHandler? >>> >>> How to get service parameter Single Sign On (Jasig CAS) LDAP Hi All!! >>> I want to create a custom AuthenticationHandler (Something like >>> BindLdapAuthenticationHandler) to modifify searchBase Attribute for >>> lookup LDAP, but, i haven't found the right way to get 'service' >>> paramater and determine the searchBase property >>> (ou=Group1,dc=example,dc=com when service is WebAppUrl1 and >>> ou=Group2,dc=example,dc=com when service is WebAppUrl2). >>> >>> Any ideas? Thanks in advance! >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] To unsubscribe, change settings or access >>> archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] To unsubscribe, change settings or access archives, >> see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] To unsubscribe, change settings or access archives, >> see >> http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
