[cas-dev] RegisteredService->AllowedAuthenticationManager (was AllowedAuthenticationHandler)

Romain Bourgue romain.bourgue at agriculture.gouv.fr
Wed Jul 18 09:13:33 EDT 2007 

After having second thoughts, I think it could be a lot easier and more
powerfull to specify a AllowedAuthenticationManager instead of
AllowedAuthenticationHandlers for RegisteredService...

It could be easily configured by beans and the service management interface
would just have to show a list of AuthenticationManager available.

CentralAuthenticationService would call the AuthenticationManager of the
registered service for authentication. Granting service ticket would still
depends on the fact that the Authentication has been granted by the
AllowedAuthenticationManager.


Romain

Romain Bourgue a écrit :
> Hi,
> 
> 
> I'd like to add the concept of AllowedAuthenticationHandlers for services.
> Before developing this, I'd like to submit this idea to the approval of the
> community...:
> 
> We have a lot of users repositories, thus, a lot of Authenticationhandlers. And
> some applications should only be accessed by some specific repositories, that is
> to say, by some specific AuthenticationHandlers.
> 
> What I need, then, is to dedicate some AuthenticationHandler to specific
> RegisteredService. We could define a link between applications and repositories
> ie : if you have a database of credentials specific to some applications, you
> could link the AuthenticationHandler of this database and the
> RegisteredApplications which users are stored in this database.
> This could be done defining for RegisteredService a property of
> (AuthenticationHandler[]) called AllowedAuthenticationHandler.
> 
> The consequences of this would be :
> 
>  - AuthenticationManager should try to authenticate only on
> AllowedAuthenticationHandlers[] if the service is a registered one;
> 
>  - Granting a service ticket for a RegisteredService should only be allowed if
> the Authentication was made by one of the AllowedAuthenticationHandlers[]...
> 
>  - ... that former one implies to store the AuthenticationHandler used in
> Authentication;
> 
>  - It should be possible to set the list of AllowedAuthenticationHandlers for a
> RegisteredService through the services management interface;
> 
>  - It should be possible to set the list of AuthenticationHandlers for a not
> registered service (default list) through the services management interface.
> 
> 
> What do you think ?
> 
> 
> Romain
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>

More information about the cas-dev mailing list