In reference to the second method I spoke about, the flow is as follows:
1. Your application contacts CAS with three pieces of information: (1) service url, (2) ticket, and (3) required role
2. The CAS server takes the service url and the ticket and attempts to validate the ticket. Upon success it returns a Assertion object.
3. The validate endpoint then uses some Spring Framework magic to bind the required role to the validation specification and validationSpecification.isSatisfiedBy is called.
4. That isSatisfiedBy returns true or false. If its false, the application does not get the NetId. If its true then it will.
Within your own custom ValidationSpecification, you would write code to compare the required role to see if the Principal has it.
You would also need to write a custom CredentialsToPrincipalResolver that is plugged into the AuthenticationManager that would retrieve the role information you need. The AuthenticationManager is *only* called on a request for Authentication so you would need to load all of the roles and hold on to them.
Take a look at the JavaDocs:
http://developer.ja-sig.org/projects/cas/multiproject/cas-server/apidocs/index.html
On 8/30/06, Jean-Noel Colin <[EMAIL PROTECTED]> wrote:
Scott,
Thanks for your help. I'm rather new to CAS, so please excuse me if my
questions sound too simple :-)
A few words on my setup first: I'm protecting ColdFusion pages behind an
Apache server with mod_cas.
About the first solution, how does the server return information? I've
read that when queried, the validate servlet of the server returns the
netid (ticket is valid). In my case, I could retrieve the userid by
using the REMOTE_USER session variable, but how do I tell the server to
return more information?
About the second solution, when is the Resolver invoked and by whom?
Same question for the ValidationSpecification. I have difficulties to
follow the internal server workflow. is that documented somewhere?
Thanks a lot
Jean-Noel
Scott Battaglia wrote:
> There are two ways to easily accomplish this. One is on the client
> application side and one is on the server (CAS) side.
>
> The client side one involves returning all groups and then allowing the
> client to make the decision.
>
> On the server side however, you can augment the Principal to include
> roles (using the CredentialsToPrincipalResolver) and then write a custom
> ValidationSpecification:
> http://developer.ja-sig.org/source/browse/jasig/cas3/cas-server-core/src/main/java/org/jasig/cas/validation/ValidationSpecification.java?r=1.1
>
> You write a custom ValidationSpecification, providing setters for values
> yout want to capture from the Request object and then compare the
> Assertion to the those values. If its "not satisfied" CAS will not
> return the NetId. You then configure this ValidationSpecification in
> your controller.
>
> -Scott
>
> On 8/30/06, *Jean-Noel Colin*
> <[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>> wrote:
>
> Hi
>
> I would like to achieve the following using CAS:
> I have a user db that contains all my users, assigned to groups, and I
> run several portals that only users from the proper group may reach
> (users from group1 for portal1, group2 for portal2, ...)
>
> Currently, using CAS, if a user has authenticated, he's granted access
> to all portals. There's no way to
>
> Looking at CAS architecture, I would see two options of achieving this:
> * have a custom Credentials object that contains username, password and
> group to log into; if username + password are valid and user belongs to
> this group, login succeeds, otherwise, it fails; the question here is
> how do I define Credentials, how do I populate the new Credentials
> object with the right data and how do I get it passed to my
> AuthenticationModule
> * have users login as usual but have a custom 'validate' function that
> takes as a parameter the ticket, the service + a group, and if the user
> whom the ticket was issued for is not part of the group, have the
> validation fail
>
> Could you please tell me whether this is feasible and which option would
> be best?
>
> Regards
>
> Jean-Noel Colin
>
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> <mailto:[email protected]>
> http://tp.its.yale.edu/mailman/listinfo/cas
> < http://tp.its.yale.edu/mailman/listinfo/cas>
>
>
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
