separate authentication handlers based on domain?

auron jinslee at gmail.com
Wed Jul 2 11:33:51 EDT 2008 

Hi Andrew - 

Thanks for your help! Yes, I did see that on the wiki about using multiple
authentication handlers. 

I guess this boils down to the question of authentication/authorization. I
realize that CAS is strictly just for authenticating a user. I was just
wondering if maybe there was *some* type of authorization ability, even if
it was something very high level.

Thanks again,
Jin



Andrew R Feller wrote:
> 
> Jin,
> 
> With CAS, you can setup multiple authentication handlers and specify the
> order users are authenticated against them.  In the
> /WEB-INF/deployerConfigContext.xml file, there is an authenticationManager
> bean that has a property called authenticationHandlers, which is an
> ordered
> list of authentication handlers.  Since both intranet and extranet users
> should be authenticated against AD first, I would put the handler for AD
> first and then the JDBC handler.
> 
> For more information on available handlers and how to configure them,
> check
> out the following JA-SIG CAS wiki articles:
> 
> http://www.ja-sig.org/wiki/display/CASUM/Active+Directory
> http://www.ja-sig.org/wiki/display/CASUM/JDBC
> 
> As far as AD authentication goes, I've used both LDAP and Kerberos.  If
> you
> can swing LDAP, I'd go that route as older versions of Sun Java have a
> memory leak in the KerberosLogin module used by Kerberos authentication.
> 
> HTH,
> Andrew
> 
> On 7/1/08 3:21 PM, "auron" <jinslee at gmail.com> wrote:
> 
>> 
>> Hello all - 
>> 
>> We have an intranet for our employees and an extranet for employees +
>> clients. Our intranet uses CAS + BindLDAP and everything works great.
>> 
>> We have been designing our extranet and have run into a question:
>> 
>> 1 - Can CAS authenticate users separately based on the domain, or some
>> other
>> qualifier? Ideally, we would like to use the same CAS to authenticate our
>> extranet and intranet users. The intranet can authenticate based on AD,
>> and
>> the extranet can authenticate based on AD + JDBC of our clients.
>> 
>> 2 - If this is not possible, would running 2 separate CAS servers be our
>> only option?
>> 
>> Thank you very much
>> 
>> Jin Lee
> 
> -- 
> Andrew R. Feller, Analyst
> Information Technology Services
> 200 Fred Frey Building
> Louisiana State University
> Baton Rouge, LA 70803
> (225) 578-3737 (Office)
> (225) 578-6400 (Fax)
> 
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
> 
> 

-- 
View this message in context: http://www.nabble.com/separate-authentication-handlers-based-on-domain--tp18224484p18240358.html
Sent from the CAS Users mailing list archive at Nabble.com.

More information about the cas mailing list