Most people use something like Spring Security 2.0 also known as ACEGI.
On 9/23/08 9:51 AM, "Jeremy Wickham" <[EMAIL PROTECTED]> wrote: > I was looking through the CAS mailing list and came across your email about > CAS authorization. I was curious to know if you have found out a way to > implement the authorization piece into CAS. We are actually wanting to want > the server to authorize the user instead of leaving that up to the client, > leaving the control of authorization of the applications to us. > > Any insight that you have into CAS authorization will be much help. > > Thanks! > > > Jeremy Wickham > Senior Programmer Analyst > Enterprise Information Systems > [EMAIL PROTECTED] > (662) 325-9173 > >>>> dale77 <[EMAIL PROTECTED]> 8/7/2008 8:38 PM >>> > > My understanding is that CAS is an authentication technology, with > authorization being solely the responsibility of the client service. > > I believe it makes sense for CAS to provide for authorization where it is a > requirement that a service absolutely not be accessible to a given user. I > came up with the following flow: > > 1. User hits service protected by SSO > 2. Service redirects to CAS > 3. User enters creds into CAS > 4. CAS authenticates user > 5. If authentication FAILS -> "your credentials are not authentic" STOP > 6. NEW!! CAS authorizes user for service (CAS level authorization) > 7. NEW!! If authorization FAILS -> "sorry you are not authorized to use that > service" STOP > 8. CAS redirects back to service with service ticket > 9. Service validates service ticket > 10. Service authorizes User (service level authorization, as it is done > today) > 11. User accesses service > > Has anyone implemented anything like the above in CAS, or do people think > that this sort of functionality would be desirable? The advantage is that > the service never hears from an "authenticated" user, and authorization is > managed by the CAS implementor for that particular service. > > Dale -- Andrew R. Feller, Analyst Information Technology Services 200 Fred Frey Building Louisiana State University Baton Rouge, LA 70803 (225) 578-3737 (Office) (225) 578-6400 (Fax) _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
