[cas-dev] Extended Attributes Architecture for 3.1

[Stephen A. Cochran]

A thought about the plans to include extended attributes in 3.1 from  
our experiences here at Dartmouth.

Currently, assume some kind of identity repository such as LDAP or  
SQL table. The authentication handler verifies the supplied username/ 
password against that data source. Then the C2PResolver creates a new  
Principal which actually holds all the information about the user.

In the extended Principal we've created to hold the extra attributes,  
a second lookup must be performed to get the attributes from the data  
source. This is because we didn't want to extent the Credentials  
object to hold the attribute as well as the Principal. While perhaps  
lazy, it makes sense with the overall design.

What this does mean though is that the data source is hit twice, once  
to verify the user, and one to actually retrieve the attributes.  
While there may be some cases where this needs to be two steps, there  
are also lots of cases where it can all be done in one command. In  
those cases, I think that there shouldn't be a need to hit the  
backend data source twice, especially some sql table that is not  
designed for the same type of load that something like LDAP is.

Thoughts?

Steve