Hi John, Is this the SecurityFilter documentation that you saw?
<http://www.ja-sig.org/wiki/x/RyU> I wrote this back in the summer of 2005 so there may well be better ways to do this by now. I am afraid I don't know enough about recent developments in Acegi, CAS3, *SAML*, Spring (etc.) to give you a definitive answer of what the best approach for authorization is nowadays (in my day CAS only did authentication, is this still so?). I would be slightly worried about using SecurityFilter as it does not appear to have been actively maintained for some while (maybe it just works!). I am sorry if you found the above CAS/SecurityFilter documentation not clear enough. Essentially, it is two layered servlet filter approach. It uses the CAS filter to obtain the username and then it uses SecurityFilter to obtain the role details from the configured realm (be that a database or LDAP or whatever). The SecurityFilter is tricked into authenticating with the CAS username by configuring SecurityFilter to accept username = password (this is still secure since to get to this point you must be CAS filter authenticated). The user role details are then inserted into a wrapped request object (**SecurityRequestWrapper)** by SecurityFilter. This is how it achieves a request.isUserInRole(x). At least I think that is how it works! If you have any further queries, I'll do my best to answer you! Mark Graves, John wrote: > > I’m trying to use CAS to authenticate access to a set of custom > applications that require the accessing user to have an Oracle > account. I’ve got it set up using the > BindModeSearchDatabaseAuthenticationHandler, and the authentication > portion appears to be working correctly. My next step is to authorize > the user, such that certain aspects of the application are available > (or not) depending on which Oracle Roles have been granted to the > user. The list of granted roles can be easily retrieved by the > connected user by executing a “select granted_roles from > user_role_privs”. Unfortunately, I’m at a loss currently in figuring > out how to transport those roles to the point that the application can > perform a request.isUserInRole(x) and have it return a viable answer. > > Has anyone else used the supplied JDBC adaptors in this manner? I’ve > seen where SecurityFilter has incorporated CAS into the JDBCRealm such > that they are retrieving the user roles from the database (from a > specific table within the database, I should say) and propagating them > forward. Unfortunately, it’s not readily apparent how they are doing this. > > John Graves > > Advanced Systems Group > > Essex > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
