[cas-dev] RegisteredService->AllowedAuthenticationManager (was AllowedAuthenticationHandler)

Wed Jul 25 14:20:17 EDT 2007

One of the things we are considering is allowing the Services Management
interface to control which AuthenticationHandlers that a service would be
able to query.  That has its own issues as it now forces more administrative
stuff on the server side which may not be desirable.  We haven't thought too
deeply about it, but it would most likely still involve one singular
AuthenticationManager.

If you get a minute, can you add your use case to our Wish List in wiki?

http://www.ja-sig.org/wiki/display/CAS/Wishlist

-Scott

On 7/18/07, Romain Bourgue <romain.bourgue at agriculture.gouv.fr> wrote:
>
> After having second thoughts, I think it could be a lot easier and more
> powerfull to specify a AllowedAuthenticationManager instead of
> AllowedAuthenticationHandlers for RegisteredService...
>
> It could be easily configured by beans and the service management
> interface
> would just have to show a list of AuthenticationManager available.
>
> CentralAuthenticationService would call the AuthenticationManager of the
> registered service for authentication. Granting service ticket would still
> depends on the fact that the Authentication has been granted by the
> AllowedAuthenticationManager.
>
>
> Romain
>
> Romain Bourgue a écrit :
> > Hi,
> >
> >
> > I'd like to add the concept of AllowedAuthenticationHandlers for
> services.
> > Before developing this, I'd like to submit this idea to the approval of
> the
> > community...:
> >
> > We have a lot of users repositories, thus, a lot of
> Authenticationhandlers. And
> > some applications should only be accessed by some specific repositories,
> that is
> > to say, by some specific AuthenticationHandlers.
> >
> > What I need, then, is to dedicate some AuthenticationHandler to specific
> > RegisteredService. We could define a link between applications and
> repositories
> > ie : if you have a database of credentials specific to some
> applications, you
> > could link the AuthenticationHandler of this database and the
> > RegisteredApplications which users are stored in this database.
> > This could be done defining for RegisteredService a property of
> > (AuthenticationHandler[]) called AllowedAuthenticationHandler.
> >
> > The consequences of this would be :
> >
> >  - AuthenticationManager should try to authenticate only on
> > AllowedAuthenticationHandlers[] if the service is a registered one;
> >
> >  - Granting a service ticket for a RegisteredService should only be
> allowed if
> > the Authentication was made by one of the
> AllowedAuthenticationHandlers[]...
> >
> >  - ... that former one implies to store the AuthenticationHandler used
> in
> > Authentication;
> >
> >  - It should be possible to set the list of
> AllowedAuthenticationHandlers for a
> > RegisteredService through the services management interface;
> >
> >  - It should be possible to set the list of AuthenticationHandlers for a
> not
> > registered service (default list) through the services management
> interface.
> >
> >
> > What do you think ?
> >
> >
> > Romain
> > _______________________________________________
> > cas-dev mailing list
> > cas-dev at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas-dev
> >
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>

-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070725/afef1a93/attachment.html 