How to customize authn or validation process?

Scott Battaglia scott.battaglia at gmail.com
Wed Aug 30 10:39:35 EDT 2006 

There are two ways to easily accomplish this.  One is on the client
application side and one is on the server (CAS) side.

The client side one involves returning all groups and then allowing the
client to make the decision.

On the server side however, you can augment the Principal to include roles
(using the CredentialsToPrincipalResolver) and then write a custom
ValidationSpecification:
http://developer.ja-sig.org/source/browse/jasig/cas3/cas-server-core/src/main/java/org/jasig/cas/validation/ValidationSpecification.java?r=1.1

You write a custom ValidationSpecification, providing setters for values
yout want to capture from the Request object and then compare the Assertion
to the those values.  If its "not satisfied" CAS will not return the NetId.
You then configure this ValidationSpecification in your controller.

-Scott

On 8/30/06, Jean-Noel Colin <jn.colin at gmail.com> wrote:
>
> Hi
>
> I would like to achieve the following using CAS:
> I have a user db that contains all my users, assigned to groups, and I
> run several portals that only users from the proper group may reach
> (users from group1 for portal1, group2 for portal2, ...)
>
> Currently, using CAS, if a user has authenticated, he's granted access
> to all portals. There's no way to
>
> Looking at CAS architecture, I would see two options of achieving this:
> * have a custom Credentials object that contains username, password and
> group to log into; if username + password are valid and user belongs to
> this group, login succeeds, otherwise, it fails; the question here is
> how do I define Credentials, how do I populate the new Credentials
> object with the right data and how do I get it passed to my
> AuthenticationModule
> * have users login as usual but have a custom 'validate' function that
> takes as a parameter the ticket, the service + a group, and if the user
> whom the ticket was issued for is not part of the group, have the
> validation fail
>
> Could you please tell me whether this is feasible and which option would
> be best?
>
> Regards
>
> Jean-Noel Colin
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20060830/31178376/attachment.html

More information about the cas mailing list