Qingzhao,
The problem you are describing is not an authentication issue but rather an authorization issue; whether a user has the right to use an application or not. Depending on your authorization situation, you might be able to use Spring Security (previously known as ACEGI) with your applications. (http://www.acegisecurity.org/) Hope this helps, Andrew R Feller, Analyst University Information Systems 200 Fred Frey Building Louisiana State University <http://www.lsu.edu/> Baton Rouge, LA, 70803 (225) 578-3737 (Office) (225) 578-6400 (Fax) ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of qingzhao zheng Sent: Monday, June 09, 2008 10:17 AM To: [email protected] Subject: HELP Hi, There is one application named TCMManager ,all users loggin from TCMManager and click the URL List to visit other applications . and the url list dynamically produced according to the database tables---r_user_application(id,staffid,appid); For example,user jack have the right to visit appone and apptwo,but not appthree. so jack visit TCMManager, and it redirect to CAS server ,after he login ,it return to the TCMManager.Now he has the appone and apptwo's urls,and he can click to visit them as he likes. The problem is if he knows the appthree's url ,he can visit the appthree in the same browser window when he type the url in the address bar.This is not allow because he doesn't have the right.What can I do to prohibit this?? I have put cas client code in the TCMManger,appone,apptwo,appthree using the cas1 protocal.configure like this: <filter> <filter-name>CAS Filter</filter-name> <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name> <param-value>https://qing:8443/cas/login</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name> <param-value>https://qing:8443/cas/serviceValidate</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name> <param-value>qing:8888</param-value> </init-param> </filter> in cas server I user jdbcAuthenticate Handler , <bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler"> <property name="sql" value="select password from t_staff where username=?" /> <property name="dataSource" ref="dataSource" /> </bean> . can I prohibit this by modify the "sql" ? or is it right for me to use cas1 protocal in this situation? Can anybody give me some advice? thanks, qingzhao, ________________________________ 雅虎邮箱,您的终生邮箱! <http://cn.mail.yahoo.com/>
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
