Delegate authentication ?

[Romain Bourgue]

Hi,

I'm willing to implement the possibility for users to delegate their
authentication to another CAS server.

Thinking of it, I wonder which is the , I wanted to have you point of view on
the implementation of
all this.

_Use case :_
Two CAS servers : myCASServer and partnrCASServer

1- When asked for login/pass on myCASServer, the user click on "Use
[partnrCASServer] authentication instead"

2- We save his 'service' parameter in his context and redirect him to
https://[partnrCASServer]/login?service=https://[myCASServer]/stValidator

3- When he comes back on /stValidator with a ServiceTicket, myCASServer
validates this ST on partCASServer, gets the NetID of the user, and create the
Authentication object on myCASServer.


_Implementations ideas :_

1- /stValidator is protected with a CAS authentication filter.

2- Rely on PrincipalFromRequestRemoteUserNonInteractiveCredentialsAction
for getting a Principal from the authentication filter.

3- If we receive ST from different CAS servers, a specific URL will be used for
each of them (/stPartnr1Validator, /stPartnr2Validator etc...)

But then, I'm wondering the best way to implement it in the Spring framework. As 
I'm not an expert in Spring there might be a better way... :

  - Do I define another web flow for /stValidator with an <action> bean :
on="success" to="sendTicketGrantingTicket", just like the login-webflow ?

  or

  - Do I declare a controller bean that will call a
PrincipalFromRequestRemoteUserNonInteractiveCredentialsAction and then interact
with the centralAuthenticationService...?

  or

  - better idea??


Romain