Service context for CredentialsToPrincipalResolver

Scott Battaglia scott_battaglia at rutgers.edu
Wed Aug 16 22:49:33 EDT 2006 

Michael,

The CredentialsToPrincipalResolver is not the appropriate place to 
filter attributes based on service, as the 
CredentialsToPrincipalResolver is only called once per authentication 
(which generally with a TicketGrantingTicket) and not on each 
ServiceTicket generation.

It may be easier (and more efficient)to retrieve the attributes and 
store them in a map as an additional property on your principal.  Then 
in your view (the default view is a JSP page but you can actually make 
it a Java class if its easier) access the "Service" object for the 
particular  service you are responding to (its available in th request) 
and populate your XML response by retrieving only the attributes from 
your Principal that are referenced in your Service object.

We'll probably be looking at making this easier to do in future CAS 
versions but for the moment that is the easiest way.

-Scott

Scott Battaglia
Application Developer, Architecture & Engineering Team
Enterprise Systems and Services, Rutgers University
v: 732.445.0097 | f: 732.445.5493 | scott_battaglia at rutgers.edu 



Michael P Stewart wrote:
>
> We are modifying CAS to serve our needs, in some contexts (particular 
> services) we need more information back from our LDAP than merely the uid.
>
> We have setup a generic "AttributesLoader" class which gets it's 
> direction from the deployerconfigcontext.xml , is loaded by the 
> CredentialsToPrincipalResolver and currently passes everything back to 
> every application requesting CAS authentication. This is unnecessary 
> traffic and in some cases for us might represent a bit of a security 
> risk.
>
> As far as I can tell, if we want to setup service specific context for 
> the CredentialsToPrincipalResolver we need to modify the final class 
> AuthenticationManagerImpl to carry that information. Is this the only 
> way we can get the Service information to the 
> CredentialsToPrincipalResolver or is there another way of doing this 
> that we're not seeing.
>
> The desired outcome is to be able to configure, for each allowed 
> service in the service.xml a set of attributes that are required by 
> the service after authentication is successful.
>
> Or is there a better way of managing service specific resolution of 
> credentials, I recall some discussions of deployers wanting to specify 
> the type of credentials to be used for specific services but can't 
> find anything that gives us any help in what we're trying to do.
>
> I really don't want to be modifying a final class in CAS but at this 
> point don't see another way around the problem without much code and 
> wailing and gnashing of teeth...
> --
> michael p stewart
> Web Services
> British Columbia Institute of Technology
>
> 604.451.6739
> mpstewart at bcit.ca
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>

More information about the cas mailing list