How to customize authn or validation process?

Jean-Noel Colin jn.colin at gmail.com
Wed Aug 30 11:08:23 EDT 2006 

Scott,

Thanks for your help. I'm rather new to CAS, so please excuse me if my
questions sound too simple :-)

A few words on my setup first: I'm protecting ColdFusion pages behind an
Apache server with mod_cas.

About the first solution, how does the server return information? I've
read that when queried, the validate servlet of the server returns the
netid (ticket is valid). In my case, I could retrieve the userid by
using the REMOTE_USER session variable, but how do I tell the server to
return more information?

About the second solution, when is the Resolver invoked and by whom?
Same question for the ValidationSpecification. I have difficulties to
follow the internal server workflow. is that documented somewhere?

Thanks a lot

Jean-Noel

Scott Battaglia wrote:
> There are two ways to easily accomplish this.  One is on the client
> application side and one is on the server (CAS) side.
> 
> The client side one involves returning all groups and then allowing the
> client to make the decision.
> 
> On the server side however, you can augment the Principal to include
> roles (using the CredentialsToPrincipalResolver) and then write a custom
> ValidationSpecification:
> http://developer.ja-sig.org/source/browse/jasig/cas3/cas-server-core/src/main/java/org/jasig/cas/validation/ValidationSpecification.java?r=1.1
> 
> You write a custom ValidationSpecification, providing setters for values
> yout want to capture from the Request object and then compare the
> Assertion to the those values.  If its "not satisfied" CAS will not
> return the NetId. You then configure this ValidationSpecification in
> your controller.
> 
> -Scott
> 
> On 8/30/06, *Jean-Noel Colin*
> <jn.colin at gmail.com
> <mailto:jn.colin at gmail.com>> wrote:
> 
>     Hi
> 
>     I would like to achieve the following using CAS:
>     I have a user db that contains all my users, assigned to groups, and I
>     run several portals that only users from the proper group may reach
>     (users from group1 for portal1, group2 for portal2, ...)
> 
>     Currently, using CAS, if a user has authenticated, he's granted access
>     to all portals. There's no way to
> 
>     Looking at CAS architecture, I would see two options of achieving this:
>     * have a custom Credentials object that contains username, password and
>     group to log into; if username + password are valid and user belongs to
>     this group, login succeeds, otherwise, it fails; the question here is
>     how do I define Credentials, how do I populate the new Credentials
>     object with the right data and how do I get it passed to my
>     AuthenticationModule
>     * have users login as usual but have a custom 'validate' function that
>     takes as a parameter the ticket, the service + a group, and if the user
>     whom the ticket was issued for is not part of the group, have the
>     validation fail
> 
>     Could you please tell me whether this is feasible and which option would
>     be best?
> 
>     Regards
> 
>     Jean-Noel Colin
> 
>     _______________________________________________
>     Yale CAS mailing list
>     cas at tp.its.yale.edu
>     <mailto:cas at tp.its.yale.edu>
>     http://tp.its.yale.edu/mailman/listinfo/cas
>     <http://tp.its.yale.edu/mailman/listinfo/cas>
> 
>

More information about the cas mailing list