Re: How to customize authn or validation process?

Wed, 30 Aug 2006 07:50:09 -0700

There are two ways to easily accomplish this.  One is on the client application side and one is on the server (CAS) side.

The client side one involves returning all groups and then allowing the client to make the decision.

On the server side however, you can augment the Principal to include roles (using the CredentialsToPrincipalResolver) and then write a custom ValidationSpecification:
http://developer.ja-sig.org/source/browse/jasig/cas3/cas-server-core/src/main/java/org/jasig/cas/validation/ValidationSpecification.java?r=1.1

You write a custom ValidationSpecification, providing setters for values yout want to capture from the Request object and then compare the Assertion to the those values.  If its "not satisfied" CAS will not return the NetId. You then configure this ValidationSpecification in your controller.

-Scott

On 8/30/06, Jean-Noel Colin <[EMAIL PROTECTED]> wrote:
Hi

I would like to achieve the following using CAS:
I have a user db that contains all my users, assigned to groups, and I
run several portals that only users from the proper group may reach
(users from group1 for portal1, group2 for portal2, ...)

Currently, using CAS, if a user has authenticated, he's granted access
to all portals. There's no way to

Looking at CAS architecture, I would see two options of achieving this:
* have a custom Credentials object that contains username, password and
group to log into; if username + password are valid and user belongs to
this group, login succeeds, otherwise, it fails; the question here is
how do I define Credentials, how do I populate the new Credentials
object with the right data and how do I get it passed to my
AuthenticationModule
* have users login as usual but have a custom 'validate' function that
takes as a parameter the ticket, the service + a group, and if the user
whom the ticket was issued for is not part of the group, have the
validation fail

Could you please tell me whether this is feasible and which option would
be best?

Regards

Jean-Noel Colin

_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas 

_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to