Re: [cas-user] Authorization of services with LDAP and CAS

Fri, 03 Oct 2014 08:27:12 -0700 

To use the Role Based Services Authorization, you'll have to switch over
to the JSON Services Reg. You'll need to add the cas-addons dependency
to your pom.xml. After wiring up the module (replacing the xml services
registry), create the servicesRegistry.conf file and move your services
into it. The xml elements map to JSON in a 1:1 fashion. After you get
that working, then you work on the authorization...

Follow the directions on the wiki page to wire up the module.
Authorization relies on attributes being read into the Attribute
Repository. Assuming you read groups (memberOf) into the attribute
"memberOf", you'd add a block to each service entry in the Json file
that you wanted to control access:

        "extraAttributes": {              
            "authzAttributes":{
                "memberOf":["group1", "group2", "orAnotherAuthorizedGroup"]
            },
            "unauthorizedRedirectUrl":"https://unauthorized.example.com";
         }            

The unauthorizedRedirectUrl will be used to redirect the browser to the
url and present whatever page to users that don't have the appropriate
group.

I hope that helps.

On 10/3/14 2:48 AM, Patrick Pat wrote:
> In mys CAS Server 3.5.2  i use for my services
> deployerConfigContext.xml in directory  cas\WEB-INF
> but i don't now how give every service (link of web applicationi
> CAS-ify  like www.name_of_my_web_application.org
> <http://www.name_of_my_web_application.org>)
> at every user by Role Based Services Authorization with LDAP
>
> 2014-10-02 19:18 GMT+02:00 John Gasper <[email protected]
> <mailto:[email protected]>>:
>
>     This solution uses the JSON Services Registry
>     
> (https://github.com/Unicon/cas-addons/wiki/Configuring-JSON-Service-Registry)
>     which is extendible and thus a platform for the Role Based
>     Services Authorization.
>
>     What is your current services registry using? Are you just using
>     xml in the deployer config or something else?
>
>
>     On 10/2/14 8:58 AM, Patrick Pat wrote:
>>      
>>     Thank you Mr John Gasper,
>>     I see
>>     
>> https://github.com/Unicon/cas-addons/wiki/Role-Based-Services-Authorization
>>     but i don't now where is the file|servicesRegistry.conf  in my
>>     CAS Server 3.5.2
>>     |
>>     |and how to configure this file with LDAP and give the
>>     authorization at every user
>>     |
>>     |for them service. Please, if you have an example, is better for me
>>     |
>>
>>
>>     2014-10-02 16:25 GMT+02:00 John Gasper <[email protected]
>>     <mailto:[email protected]>>:
>>
>>         Out of the box, CAS only focuses on authentication. It's up
>>         to the
>>         applications to handle authorization. Unicon has a cas-addons
>>         module
>>         that provides some basic authZ functionality. You can use group
>>         membership to limit what applications users can authenticate to.
>>
>>         You can find out more information about the functionality at
>>         
>> https://github.com/Unicon/cas-addons/wiki/Role-Based-Services-Authorization.
>>
>>         John
>>
>>         On 10/2/14 3:40 AM, Patrick Pat wrote:
>>         > Hi,
>>         > I would like to give differents services at every user of LDAP.
>>         > In fact, i don't like to give all services at all users.
>>         Therefore i
>>         > would like to allocate
>>         > every service by user.
>>         > Thanks
>>         >
>>         >
>>         > --
>>         > You are currently subscribed to [email protected]
>>         <mailto:[email protected]> as: [email protected]
>>         <mailto:[email protected]>
>>         > To unsubscribe, change settings or access archives, see
>>         http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>>
>>         --
>>         You are currently subscribed to [email protected]
>>         <mailto:[email protected]> as:
>>         [email protected] <mailto:[email protected]>
>>         To unsubscribe, change settings or access archives, see
>>         http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>>
>>     -- 
>>     You are currently subscribed to [email protected] 
>> <mailto:[email protected]> as: [email protected] 
>> <mailto:[email protected]>
>>     To unsubscribe, change settings or access archives, see 
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>     -- 
>     You are currently subscribed to [email protected] 
> <mailto:[email protected]> as: [email protected] 
> <mailto:[email protected]>
>     To unsubscribe, change settings or access archives, see 
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
> -- 
> You are currently subscribed to [email protected] as: 
> [email protected]
> To unsubscribe, change settings or access archives, see 
> http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to