Here you go: <http://www.ja-sig.org/wiki/pages/viewpageattachments.action?pageId=9543>
Attachments are kinda hidden under "Page Operations" in this version of the Confluence (grrr). Mark Graves, John wrote: > I noticed on that linked page (which is where I tripped over this, by > the way), that you mention a couple of files that are supposed to be > attached. I would like to see what was changed in SecurityFilter.java, > and what the CASAuthenticator.java holds. I pulled the source from > securityfilter.org, but the new authenticator is not in cvs. Could you > point out where that new file is? > > John > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Mark McLaren > Sent: Thursday, May 24, 2007 5:42 PM > To: Yale CAS mailing list > Subject: Re: Use of Oracle Granted Roles > > Hi John, > > Is this the SecurityFilter documentation that you saw? > > <http://www.ja-sig.org/wiki/x/RyU> > > I wrote this back in the summer of 2005 so there may well be better ways > > to do this by now. I am afraid I don't know enough about recent > developments in Acegi, CAS3, *SAML*, Spring (etc.) to give you a > definitive answer of what the best approach for authorization is > nowadays (in my day CAS only did authentication, is this still so?). I > would be slightly worried about using SecurityFilter as it does not > appear to have been actively maintained for some while (maybe it just > works!). > > I am sorry if you found the above CAS/SecurityFilter documentation not > clear enough. Essentially, it is two layered servlet filter approach. It > > uses the CAS filter to obtain the username and then it uses > SecurityFilter to obtain the role details from the configured realm (be > that a database or LDAP or whatever). > > The SecurityFilter is tricked into authenticating with the CAS username > by configuring SecurityFilter to accept username = password (this is > still secure since to get to this point you must be CAS filter > authenticated). The user role details are then inserted into a wrapped > request object (**SecurityRequestWrapper)** by SecurityFilter. This is > how it achieves a request.isUserInRole(x). > > At least I think that is how it works! If you have any further queries, > I'll do my best to answer you! > > Mark > > Graves, John wrote: > >> I'm trying to use CAS to authenticate access to a set of custom >> applications that require the accessing user to have an Oracle >> account. I've got it set up using the >> BindModeSearchDatabaseAuthenticationHandler, and the authentication >> portion appears to be working correctly. My next step is to authorize >> the user, such that certain aspects of the application are available >> (or not) depending on which Oracle Roles have been granted to the >> user. The list of granted roles can be easily retrieved by the >> connected user by executing a "select granted_roles from >> user_role_privs". Unfortunately, I'm at a loss currently in figuring >> out how to transport those roles to the point that the application can >> > > >> perform a request.isUserInRole(x) and have it return a viable answer. >> >> Has anyone else used the supplied JDBC adaptors in this manner? I've >> seen where SecurityFilter has incorporated CAS into the JDBCRealm such >> > > >> that they are retrieving the user roles from the database (from a >> specific table within the database, I should say) and propagating them >> > > >> forward. Unfortunately, it's not readily apparent how they are doing >> > this. > >> John Graves >> >> Advanced Systems Group >> >> Essex >> >> _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
