authorization problem

qingzhao zheng qingzhaoz at yahoo.com.cn
Mon May 26 10:38:55 EDT 2008 

Hi,
There is one application named TCMManager ,all users loggin from TCMManager and click the URL List to visit other applications .
and the url list dynamically produced according to the database tables---r_user_application(id,staffid,appid);
 For example,user jack have the right to visit appone and apptwo,but not appthree. so jack visit TCMManager, and it 
redirect to CAS server ,after he login ,it return to the TCMManager.Now he has the appone and apptwo's urls,and he can click to
visit them as he likes. The problem is  if he knows the appthree's url ,he can visit the appthree in the same browser window when 
he type the url in the address bar.This is not allow because he doesn't have the right.What can I do to prohibit this??
    I have put cas client code in the TCMManger,appone,apptwo,appthree using the cas1 protocal.configure like this:
              <filter> 
     <filter-name>CAS Filter</filter-name> 
     <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class> 
     <init-param> 
       <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name> 
       <param-value>https://qing:8443/cas/login</param-value> 
     </init-param> 
     <init-param> 
       <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name> 
       <param-value>https://qing:8443/cas/serviceValidate</param-value> 
     </init-param> 
     <init-param> 
       <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name> 
       <param-value>qing:8888</param-value> 
     </init-param> 
  </filter> 
  in cas server I user jdbcAuthenticate Handler ,
     <bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler">
                            <property name="sql" value="select password from t_staff where username=?" />
                            <property name="dataSource" ref="dataSource" />
    </bean>
.
can I prohibit this by modify the "sql" ?
or is it right for me to use cas1 protocal in this situation?
Can anybody give me some advice?
                                                                   thanks,
                                                                       qingzhao,

       
---------------------------------
 ÑÅ»¢ÓÊÏ䣬ÄúµÄÖÕÉúÓÊÏ䣡
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080526/ff1583bc/attachment.html

More information about the cas mailing list