I solved this problem by creating a custom security object that held authorization info after the user was authenticated. I then pushed it into session and let the application retrieve and query the object. I did it all in the servlet filter and added some custom libraries into CAS and the applications. I certainly glossed over a lot of the details here covering implementation, encryption, etc. That said it works like a champ and has been bullet-proof so far. Anyway look at the servlet filter as the point where you might want to acquire your authorization info. I call to secured webservices to get the data. Then wrapper the data and use a standard set of libraries to utilize it.
Then again you could use a LDAP and go down the JAVA EE path and rely on container managed security. This would be the preferred way to go but I couldn't get my company to take the leap since I was the only one who even remotely understood it.
Greg
|
Jean-Noel Colin <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 08/30/2006 08:50 AM
|
|
Hi
I would like to achieve the following using CAS:
I have a user db that contains all my users, assigned to groups, and I
run several portals that only users from the proper group may reach
(users from group1 for portal1, group2 for portal2, ...)
Currently, using CAS, if a user has authenticated, he's granted access
to all portals. There's no way to
Looking at CAS architecture, I would see two options of achieving this:
* have a custom Credentials object that contains username, password and
group to log into; if username + password are valid and user belongs to
this group, login succeeds, otherwise, it fails; the question here is
how do I define Credentials, how do I populate the new Credentials
object with the right data and how do I get it passed to my
AuthenticationModule
* have users login as usual but have a custom 'validate' function that
takes as a parameter the ticket, the service + a group, and if the user
whom the ticket was issued for is not part of the group, have the
validation fail
Could you please tell me whether this is feasible and which option would
be best?
Regards
Jean-Noel Colin
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
E-mail Disclaimer:
The information contained in this e-mail, and in any accompanying
documents, may constitute confidential and/or legally privileged
information. The information is intended only for use by the
designated recipient. If you are not the intended recipient (or
responsible for the delivery of the message to the intended
recipient), you are hereby notified that any dissemination,
distribution, copying, or other use of, or taking of any action
in reliance on this e-mail is strictly prohibited. If you have
received this email communication in error, please notify the
sender immediately and delete the message from your system.
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
