Scott As I'm using the standard mod_cas to protect the client, I can't see how to pass custom parameters to the CAS server. However, if the validate process could be dependent on the service, that would work: after successful authentication, the browser is redirected to the requested page with at ST; Apache tries to validate the ST with the CAS server, and then, my custom validator not only verifies that the ticket is valid, but also that the user for whom the ticket was issued is also allowed to reach that service.
Does this sound like a good idea, and how could it be put in place? Cheers Jean-Noel Scott Battaglia wrote: > If you're using the normal validate endpoint then I don't recommend the > first method as the validate endpoint doesn't return an XML response. > > In reference to the second method I spoke about, the flow is as follows: > > 1. Your application contacts CAS with three pieces of information: (1) > service url, (2) ticket, and (3) required role > 2. The CAS server takes the service url and the ticket and attempts to > validate the ticket. Upon success it returns a Assertion object. > 3. The validate endpoint then uses some Spring Framework magic to bind > the required role to the validation specification and > validationSpecification.isSatisfiedBy is called. > 4. That isSatisfiedBy returns true or false. If its false, the > application does not get the NetId. If its true then it will. > > Within your own custom ValidationSpecification, you would write code to > compare the required role to see if the Principal has it. > > You would also need to write a custom CredentialsToPrincipalResolver > that is plugged into the AuthenticationManager that would retrieve the > role information you need. The AuthenticationManager is *only* called > on a request for Authentication so you would need to load all of the > roles and hold on to them. > > Take a look at the JavaDocs: > http://developer.ja-sig.org/projects/cas/multiproject/cas-server/apidocs/index.html > > > On 8/30/06, *Jean-Noel Colin* > <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > Scott, > > Thanks for your help. I'm rather new to CAS, so please excuse me if my > questions sound too simple :-) > > A few words on my setup first: I'm protecting ColdFusion pages behind an > Apache server with mod_cas. > > About the first solution, how does the server return information? I've > read that when queried, the validate servlet of the server returns the > netid (ticket is valid). In my case, I could retrieve the userid by > using the REMOTE_USER session variable, but how do I tell the server to > return more information? > > About the second solution, when is the Resolver invoked and by whom? > Same question for the ValidationSpecification. I have difficulties to > follow the internal server workflow. is that documented somewhere? > > Thanks a lot > > Jean-Noel > > Scott Battaglia wrote: > > There are two ways to easily accomplish this. One is on the client > > application side and one is on the server (CAS) side. > > > > The client side one involves returning all groups and then > allowing the > > client to make the decision. > > > > On the server side however, you can augment the Principal to include > > roles (using the CredentialsToPrincipalResolver) and then write a > custom > > ValidationSpecification: > > > > http://developer.ja-sig.org/source/browse/jasig/cas3/cas-server-core/src/main/java/org/jasig/cas/validation/ValidationSpecification.java?r=1.1 > > <http://developer.ja-sig.org/source/browse/jasig/cas3/cas-server-core/src/main/java/org/jasig/cas/validation/ValidationSpecification.java?r=1.1> > > > > You write a custom ValidationSpecification, providing setters for > values > > yout want to capture from the Request object and then compare the > > Assertion to the those values. If its "not satisfied" CAS will not > > return the NetId. You then configure this ValidationSpecification in > > your controller. > > > > -Scott > > > > On 8/30/06, *Jean-Noel Colin* > > <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> > > <mailto:[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>>> wrote: > > > > Hi > > > > I would like to achieve the following using CAS: > > I have a user db that contains all my users, assigned to > groups, and I > > run several portals that only users from the proper group may > reach > > (users from group1 for portal1, group2 for portal2, ...) > > > > Currently, using CAS, if a user has authenticated, he's > granted access > > to all portals. There's no way to > > > > Looking at CAS architecture, I would see two options of > achieving this: > > * have a custom Credentials object that contains username, > password and > > group to log into; if username + password are valid and user > belongs to > > this group, login succeeds, otherwise, it fails; the question > here is > > how do I define Credentials, how do I populate the new > Credentials > > object with the right data and how do I get it passed to my > > AuthenticationModule > > * have users login as usual but have a custom 'validate' > function that > > takes as a parameter the ticket, the service + a group, and if > the user > > whom the ticket was issued for is not part of the group, have the > > validation fail > > > > Could you please tell me whether this is feasible and which > option would > > be best? > > > > Regards > > > > Jean-Noel Colin > > > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > http://tp.its.yale.edu/mailman/listinfo/cas > > < http://tp.its.yale.edu/mailman/listinfo/cas> > > > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > <mailto:[email protected]> > http://tp.its.yale.edu/mailman/listinfo/cas > > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
