I noticed on that linked page (which is where I tripped over this, by the way), that you mention a couple of files that are supposed to be attached. I would like to see what was changed in SecurityFilter.java, and what the CASAuthenticator.java holds. I pulled the source from securityfilter.org, but the new authenticator is not in cvs. Could you point out where that new file is?
John -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark McLaren Sent: Thursday, May 24, 2007 5:42 PM To: Yale CAS mailing list Subject: Re: Use of Oracle Granted Roles Hi John, Is this the SecurityFilter documentation that you saw? <http://www.ja-sig.org/wiki/x/RyU> I wrote this back in the summer of 2005 so there may well be better ways to do this by now. I am afraid I don't know enough about recent developments in Acegi, CAS3, *SAML*, Spring (etc.) to give you a definitive answer of what the best approach for authorization is nowadays (in my day CAS only did authentication, is this still so?). I would be slightly worried about using SecurityFilter as it does not appear to have been actively maintained for some while (maybe it just works!). I am sorry if you found the above CAS/SecurityFilter documentation not clear enough. Essentially, it is two layered servlet filter approach. It uses the CAS filter to obtain the username and then it uses SecurityFilter to obtain the role details from the configured realm (be that a database or LDAP or whatever). The SecurityFilter is tricked into authenticating with the CAS username by configuring SecurityFilter to accept username = password (this is still secure since to get to this point you must be CAS filter authenticated). The user role details are then inserted into a wrapped request object (**SecurityRequestWrapper)** by SecurityFilter. This is how it achieves a request.isUserInRole(x). At least I think that is how it works! If you have any further queries, I'll do my best to answer you! Mark Graves, John wrote: > > I'm trying to use CAS to authenticate access to a set of custom > applications that require the accessing user to have an Oracle > account. I've got it set up using the > BindModeSearchDatabaseAuthenticationHandler, and the authentication > portion appears to be working correctly. My next step is to authorize > the user, such that certain aspects of the application are available > (or not) depending on which Oracle Roles have been granted to the > user. The list of granted roles can be easily retrieved by the > connected user by executing a "select granted_roles from > user_role_privs". Unfortunately, I'm at a loss currently in figuring > out how to transport those roles to the point that the application can > perform a request.isUserInRole(x) and have it return a viable answer. > > Has anyone else used the supplied JDBC adaptors in this manner? I've > seen where SecurityFilter has incorporated CAS into the JDBCRealm such > that they are retrieving the user roles from the database (from a > specific table within the database, I should say) and propagating them > forward. Unfortunately, it's not readily apparent how they are doing this. > > John Graves > > Advanced Systems Group > > Essex > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas This electronic message and any files transmitted with it contain information which may be privileged and/or proprietary. The information is intended for use solely by the intended recipient(s). If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of this information is prohibited. If you have received this electronic message in error, please advise the sender by reply email or by telephone (301-939-7000) and delete the message. _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
