CAS integration at Rutgers (and other large organizations)

[Stephane Bailliez]

Smith, Matt wrote:
> UConn is inverting what you describe -- instead of using CAS for webdav,
> etc, use a mechanism (Kerberos/LDAP) better suited for those non
> browser-based services, and then use CAS to easily extend those
> mechanisms to the browser environment.

Yes, that would be my preference as well rather than having to bend so 
many things to integrate with CAS.

Out of curiosity, how do you structure your LDAP ?

Typically I use Acegi for access control of resources within webapp 
through the basic acl modules (will switch on later to the new acl 
modules once I get a grip of it and if it is worth it).

I'm using AOP to control access to domain objects and check if the user 
has the appropriate acls

So ideally (but not necessarily) would need to store those acls into 
ldap and of course have other systems able to interpret those acls(which 
are application specific, as resources depend on applications)

I guess I'm opening a whole can of worms here since it acls are probably 
the hardest part to get right/maintain, assuming there is a general 'get 
it right' for this :)

-- stephane