Scott, Thanks for your help. I'm rather new to CAS, so please excuse me if my questions sound too simple :-)
A few words on my setup first: I'm protecting ColdFusion pages behind an Apache server with mod_cas. About the first solution, how does the server return information? I've read that when queried, the validate servlet of the server returns the netid (ticket is valid). In my case, I could retrieve the userid by using the REMOTE_USER session variable, but how do I tell the server to return more information? About the second solution, when is the Resolver invoked and by whom? Same question for the ValidationSpecification. I have difficulties to follow the internal server workflow. is that documented somewhere? Thanks a lot Jean-Noel Scott Battaglia wrote: > There are two ways to easily accomplish this. One is on the client > application side and one is on the server (CAS) side. > > The client side one involves returning all groups and then allowing the > client to make the decision. > > On the server side however, you can augment the Principal to include > roles (using the CredentialsToPrincipalResolver) and then write a custom > ValidationSpecification: > http://developer.ja-sig.org/source/browse/jasig/cas3/cas-server-core/src/main/java/org/jasig/cas/validation/ValidationSpecification.java?r=1.1 > > You write a custom ValidationSpecification, providing setters for values > yout want to capture from the Request object and then compare the > Assertion to the those values. If its "not satisfied" CAS will not > return the NetId. You then configure this ValidationSpecification in > your controller. > > -Scott > > On 8/30/06, *Jean-Noel Colin* > <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > Hi > > I would like to achieve the following using CAS: > I have a user db that contains all my users, assigned to groups, and I > run several portals that only users from the proper group may reach > (users from group1 for portal1, group2 for portal2, ...) > > Currently, using CAS, if a user has authenticated, he's granted access > to all portals. There's no way to > > Looking at CAS architecture, I would see two options of achieving this: > * have a custom Credentials object that contains username, password and > group to log into; if username + password are valid and user belongs to > this group, login succeeds, otherwise, it fails; the question here is > how do I define Credentials, how do I populate the new Credentials > object with the right data and how do I get it passed to my > AuthenticationModule > * have users login as usual but have a custom 'validate' function that > takes as a parameter the ticket, the service + a group, and if the user > whom the ticket was issued for is not part of the group, have the > validation fail > > Could you please tell me whether this is feasible and which option would > be best? > > Regards > > Jean-Noel Colin > > _______________________________________________ > Yale CAS mailing list > [email protected] > <mailto:[email protected]> > http://tp.its.yale.edu/mailman/listinfo/cas > <http://tp.its.yale.edu/mailman/listinfo/cas> > > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
