[cas-dev] JA-SIG CAS Client for Java and Authorization classes

Scott Battaglia scott.battaglia at gmail.com
Thu Sep 27 13:17:21 EDT 2007 

Andrew,

The question was merely is it worth including the rudimentary filters in the
CAS Client release.  Are people using them?  It wasn't about adding
additional complexity in terms of authorization.

-Scott

On 9/27/07, Andrew Petro <apetro at unicon.net> wrote:
>
>  Scott,
>
> I added rudimentary built-in simple authorization filter support once upon
> a time to the Yale Java CAS Client to support the simplest of use cases
> around quick and dirty authorization.
>
> For instance, how does one CASify the Tomcat Manager web application<http://www.ja-sig.org/wiki/display/CAS/CASifying+Tomcat+Manager>?
> The quickest, naive approach, is to simply zap all the stuff in the manager
> web.xml, slap an authentication filter on it, and slap an authorization
> filter on it.  On my dev box, on the order of one usename needs to be
> authorized: mine.  Including that simple filter made this use case
> implementable by dropping in one .jar and doing a quick web.xml surgery.
>
> There are all sorts of ways that solution can be further factored.  Use
> JAAS or Tomcat Realms or spin out the components of the Java CAS client into
> five or six component .jars or provide for lots of optional configuration.
> To my mind, all of that moves away from the sweet spot -- once I actually do
> need complex configurable authorization beyond "Is the username one of these
> whitespace-delimited Strings that I configured right where I declared the
> CASFilter?", I'm reaching for Acegi.
>
> My gut feel is that the Java CAS client shouldn't look to venture any
> further into implementing authorization use cases than the simple "is the
> username in this set?" use case, leaving that complexity to the Acegi
> project.  If the world needs a Java client configuration for e.g.
> implementing access control policy based on the user attributes conveyed by
> CAS 3.1, that complexity seems to me to most belong in Acegi using its
> authorization voters and so forth.
>
> Andrew
>
>
>
>
>
> Just in addition to this: I'm wondering if we should only look at exposing
> the authorization information via the request object if we do expose it
> (isUserInRole).  Thoughts?
>
> -Scott
>
> On 9/13/07, Scott Battaglia <scott.battaglia at gmail.com> wrote:
> >
> > All,
> > I'm currently working on updating the JA-SIG CAS Client for Java to
> > include the latest CAS 3.1 features (SAML support, Logout support [with
> > Andrew Feller's help], etc.).  One thing I'm also working on is simple
> > web.xml configuration with the option of more advanced Spring-based XML
> > configuration (for those who want more options).
> >
> > At this point I realized we have the very simple authorization example
> > filters.  Anyone actually use these?  Should they stick around?  Moved to
> > the wiki as an example of simple authorization? I'm trying to minimize
> > the number of filter options in order to ease configuration.
> >
> > Thanks
> > -Scott
> >
> > --
> > -Scott Battaglia
> >
> > LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
>
>
>
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
>


-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070927/1c6e0be7/attachment.html

More information about the cas-dev mailing list