How to customize authn or validation process?

Scott Battaglia scott.battaglia at gmail.com
Wed Aug 30 20:58:25 EDT 2006 

If you're using the normal validate endpoint then I don't recommend the
first method as the validate endpoint doesn't return an XML response.

In reference to the second method I spoke about, the flow is as follows:

1. Your application contacts CAS with three pieces of information: (1)
service url, (2) ticket, and (3) required role
2. The CAS server takes the service url and the ticket and attempts to
validate the ticket.  Upon success it returns a Assertion object.
3.  The validate endpoint then uses some Spring Framework magic to bind the
required role to the validation specification and
validationSpecification.isSatisfiedBy is called.
4.  That isSatisfiedBy returns true or false.  If its false, the application
does not get the NetId.  If its true then it will.

Within your own custom ValidationSpecification, you would write code to
compare the required role to see if the Principal has it.

You would also need to write a custom CredentialsToPrincipalResolver that is
plugged into the AuthenticationManager that would retrieve the role
information you need.  The AuthenticationManager is *only* called on a
request for Authentication so you would need to load all of the roles and
hold on to them.

Take a look at the JavaDocs:
http://developer.ja-sig.org/projects/cas/multiproject/cas-server/apidocs/index.html

On 8/30/06, Jean-Noel Colin <jn.colin at gmail.com> wrote:
>
> Scott,
>
> Thanks for your help. I'm rather new to CAS, so please excuse me if my
> questions sound too simple :-)
>
> A few words on my setup first: I'm protecting ColdFusion pages behind an
> Apache server with mod_cas.
>
> About the first solution, how does the server return information? I've
> read that when queried, the validate servlet of the server returns the
> netid (ticket is valid). In my case, I could retrieve the userid by
> using the REMOTE_USER session variable, but how do I tell the server to
> return more information?
>
> About the second solution, when is the Resolver invoked and by whom?
> Same question for the ValidationSpecification. I have difficulties to
> follow the internal server workflow. is that documented somewhere?
>
> Thanks a lot
>
> Jean-Noel
>
> Scott Battaglia wrote:
> > There are two ways to easily accomplish this.  One is on the client
> > application side and one is on the server (CAS) side.
> >
> > The client side one involves returning all groups and then allowing the
> > client to make the decision.
> >
> > On the server side however, you can augment the Principal to include
> > roles (using the CredentialsToPrincipalResolver) and then write a custom
> > ValidationSpecification:
> >
> http://developer.ja-sig.org/source/browse/jasig/cas3/cas-server-core/src/main/java/org/jasig/cas/validation/ValidationSpecification.java?r=1.1
> >
> > You write a custom ValidationSpecification, providing setters for values
> > yout want to capture from the Request object and then compare the
> > Assertion to the those values.  If its "not satisfied" CAS will not
> > return the NetId. You then configure this ValidationSpecification in
> > your controller.
> >
> > -Scott
> >
> > On 8/30/06, *Jean-Noel Colin*
> > <jn.colin at gmail.com
> > <mailto:jn.colin at gmail.com>> wrote:
> >
> >     Hi
> >
> >     I would like to achieve the following using CAS:
> >     I have a user db that contains all my users, assigned to groups, and
> I
> >     run several portals that only users from the proper group may reach
> >     (users from group1 for portal1, group2 for portal2, ...)
> >
> >     Currently, using CAS, if a user has authenticated, he's granted
> access
> >     to all portals. There's no way to
> >
> >     Looking at CAS architecture, I would see two options of achieving
> this:
> >     * have a custom Credentials object that contains username, password
> and
> >     group to log into; if username + password are valid and user belongs
> to
> >     this group, login succeeds, otherwise, it fails; the question here
> is
> >     how do I define Credentials, how do I populate the new Credentials
> >     object with the right data and how do I get it passed to my
> >     AuthenticationModule
> >     * have users login as usual but have a custom 'validate' function
> that
> >     takes as a parameter the ticket, the service + a group, and if the
> user
> >     whom the ticket was issued for is not part of the group, have the
> >     validation fail
> >
> >     Could you please tell me whether this is feasible and which option
> would
> >     be best?
> >
> >     Regards
> >
> >     Jean-Noel Colin
> >
> >     _______________________________________________
> >     Yale CAS mailing list
> >     cas at tp.its.yale.edu
> >     <mailto:cas at tp.its.yale.edu>
> >     http://tp.its.yale.edu/mailman/listinfo/cas
> >     <http://tp.its.yale.edu/mailman/listinfo/cas>
> >
> >
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20060830/8c8c9243/attachment.html

More information about the cas mailing list