[cas-dev] RegisteredService->AllowedAuthenticationManager (was AllowedAuthenticationHandler)

Romain Bourgue romain.bourgue at agriculture.gouv.fr
Thu Jul 26 05:08:29 EDT 2007 

I added it to the Wish List describing the AllowedAuthentiacationHandlers[] 
first idea.

Romain


Scott Battaglia a écrit :
> One of the things we are considering is allowing the Services Management 
> interface to control which AuthenticationHandlers that a service would 
> be able to query.  That has its own issues as it now forces more 
> administrative stuff on the server side which may not be desirable.  We 
> haven't thought too deeply about it, but it would most likely still 
> involve one singular AuthenticationManager.
> 
> If you get a minute, can you add your use case to our Wish List in wiki?
> 
> http://www.ja-sig.org/wiki/display/CAS/Wishlist
> 
> -Scott
> 
> On 7/18/07, *Romain Bourgue* <romain.bourgue at agriculture.gouv.fr 
> <mailto:romain.bourgue at agriculture.gouv.fr>> wrote:
> 
>     After having second thoughts, I think it could be a lot easier and more
>     powerfull to specify a AllowedAuthenticationManager instead of
>     AllowedAuthenticationHandlers for RegisteredService...
> 
>     It could be easily configured by beans and the service management
>     interface
>     would just have to show a list of AuthenticationManager available.
> 
>     CentralAuthenticationService would call the AuthenticationManager of the
>     registered service for authentication. Granting service ticket would
>     still
>     depends on the fact that the Authentication has been granted by the
>     AllowedAuthenticationManager.
> 
> 
>     Romain
> 
>     Romain Bourgue a écrit :
>      > Hi,
>      >
>      >
>      > I'd like to add the concept of AllowedAuthenticationHandlers for
>     services.
>      > Before developing this, I'd like to submit this idea to the
>     approval of the
>      > community...:
>      >
>      > We have a lot of users repositories, thus, a lot of
>     Authenticationhandlers. And
>      > some applications should only be accessed by some specific
>     repositories, that is
>      > to say, by some specific AuthenticationHandlers.
>      >
>      > What I need, then, is to dedicate some AuthenticationHandler to
>     specific
>      > RegisteredService. We could define a link between applications
>     and repositories
>      > ie : if you have a database of credentials specific to some
>     applications, you
>      > could link the AuthenticationHandler of this database and the
>      > RegisteredApplications which users are stored in this database.
>      > This could be done defining for RegisteredService a property of
>      > (AuthenticationHandler[]) called AllowedAuthenticationHandler.
>      >
>      > The consequences of this would be :
>      >
>      >  - AuthenticationManager should try to authenticate only on
>      > AllowedAuthenticationHandlers[] if the service is a registered one;
>      >
>      >  - Granting a service ticket for a RegisteredService should only
>     be allowed if
>      > the Authentication was made by one of the
>     AllowedAuthenticationHandlers[]...
>      >
>      >  - ... that former one implies to store the AuthenticationHandler
>     used in
>      > Authentication;
>      >
>      >  - It should be possible to set the list of
>     AllowedAuthenticationHandlers for a
>      > RegisteredService through the services management interface;
>      >
>      >  - It should be possible to set the list of
>     AuthenticationHandlers for a not
>      > registered service (default list) through the services management
>     interface.
>      >
>      >
>      > What do you think ?
>      >
>      >
>      > Romain
>      > _______________________________________________
>      > cas-dev mailing list
>      > cas-dev at tp.its.yale.edu <mailto:cas-dev at tp.its.yale.edu>
>      > http://tp.its.yale.edu/mailman/listinfo/cas-dev
>      >
>     _______________________________________________
>     cas-dev mailing list
>     cas-dev at tp.its.yale.edu <mailto:cas-dev at tp.its.yale.edu>
>     http://tp.its.yale.edu/mailman/listinfo/cas-dev
> 
> 
> 
> 
> -- 
> -Scott Battaglia
> 
> LinkedIn: http://www.linkedin.com/in/scottbattaglia 
> <http://www.linkedin.com/in/scottbattaglia>
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev

More information about the cas-dev mailing list