[cas-dev] RegisteredService->AllowedAuthenticationHandler

[Romain Bourgue]

Hi,


I'd like to add the concept of AllowedAuthenticationHandlers for services.
Before developing this, I'd like to submit this idea to the approval of the
community...:

We have a lot of users repositories, thus, a lot of Authenticationhandlers. And
some applications should only be accessed by some specific repositories, that is
to say, by some specific AuthenticationHandlers.

What I need, then, is to dedicate some AuthenticationHandler to specific
RegisteredService. We could define a link between applications and repositories
ie : if you have a database of credentials specific to some applications, you
could link the AuthenticationHandler of this database and the
RegisteredApplications which users are stored in this database.
This could be done defining for RegisteredService a property of
(AuthenticationHandler[]) called AllowedAuthenticationHandler.

The consequences of this would be :

 - AuthenticationManager should try to authenticate only on
AllowedAuthenticationHandlers[] if the service is a registered one;

 - Granting a service ticket for a RegisteredService should only be allowed if
the Authentication was made by one of the AllowedAuthenticationHandlers[]...

 - ... that former one implies to store the AuthenticationHandler used in
Authentication;

 - It should be possible to set the list of AllowedAuthenticationHandlers for a
RegisteredService through the services management interface;

 - It should be possible to set the list of AuthenticationHandlers for a not
registered service (default list) through the services management interface.


What do you think ?


Romain