we could support CAS 2 by default (with minimal changes) and do something like this:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>q234wd325253</cas:user> <cas:attribute name="username" value="jdoe"/> <cas:attribute name="first_name" value="John"/> <cas:attribute name="last_name" value="Doe"/> <cas:attribute name="email" value="[email protected]"/> ... <cas:attribute name="MemberOf" value="group-name"/> <cas:attribute name="MemberOf" value="other-group-name"/> ... </cas:authenticationSuccess> </cas:serviceResponse> On May 23, 10:21 am, Massimo Di Pierro <[email protected]> wrote: > we could expose a has_memmbership and has_permission service to > authorized cas_consumers. The problem is that the consumers would have > to call special functions to check the provider. We could always > delegate the local has_membership and has_permission to the service > equivalent functions with there would be problems with referential > integrity because objects are local and permissions are remote. > > Has anybody does this (even if not in wbe2py). Is there any > documentation? > > massimo > > On May 23, 9:45 am, Michele Comitini <[email protected]> > wrote: > > > > > > > > > Could CAS server answer to questions such as "is operation bar allowed > > to user foo"? > > > The list of operations is CAS server dependent, the consumer can ask > > only for those... > > > mic > > > 2011/5/23 Massimo Di Pierro <[email protected]>: > > > > I have been thinking about this but issue is, how should groups be > > > identified? By their name? The consumer app does not have the same > > > auth_group table. What if it has a group with the same name as a group > > > in the provider app? > > > > Anyway... as it ism CAS (and cas in Auth) has a problem. Any consumer > > > can authenticate with it and therefore it will reveal information > > > about the user (for example the username and email). There are two > > > ways to restrict this: 1) have the provider filter consumers by IP/ > > > domain; 2) have the user decide whether to authenticate with the > > > consumer (as in OpenID). I think 1 is more appropriate for CAS and > > > easier to implement. > > > > On May 23, 7:24 am, Ross Peoples <[email protected]> wrote: > > >> I am not that familiar with CAS, but it might be useful in some cases to > > >> know what groups the user is a member of in the remote web2py > > >> installation. > > >> For example, if there is an 'Administrators' group that should have > > >> access > > >> to everything, then you wouldn't have to set up groups and permissions > > >> for > > >> every single app that uses the remote Auth service.
