-
Notifications
You must be signed in to change notification settings - Fork 26
Role Based Services Authorization
Since version 1.5
there is a facility in cas-addons that adds a coarse-grained, role-based authorization capability to CAS server. It is based on custom generic set of authorization attributes configured for each registered service (which could mean anything e.g. roles, etc.) and a Spring Web Flow action state implementation which compares this set with a set of attributes of authenticated principals and makes authorization decisions based on these to sets. If authorization fails, then login flow is halted and service ticket is not vended.
The service authorization action state is further parameterized with a strategy RegisteredServiceAuthorizer
API and a default implmentation is provided out of the box (which simply compares intersection of two sets of attributes and if any one value is matched, authorizes further processing)
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cas="http://unicon.net/schema/cas"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://unicon.net/schema/cas http://unicon.net/schema/cas/cas-addons.xsd">
<cas:service-authorization-action/>
</beans>
if you wish to plug in a different type of authorizer, just define a bean implementing RegisteredServiceAuthorizer interface and set the authorizer
attribute:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cas="http://unicon.net/schema/cas"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://unicon.net/schema/cas http://unicon.net/schema/cas/cas-addons.xsd">
<bean id="myAuthorizer" class="com.mycompany.MyCustomAuthorizer"/>
<cas:service-authorization-action authorizer="myAuthorizer"/>
</beans>