Skip to content
This repository has been archived by the owner on Nov 3, 2017. It is now read-only.

Role Based Services Authorization

Jump to bottom
dima767 edited this page Apr 24, 2013 · 17 revisions

Since version 1.5 there is a facility in cas-addons that adds a coarse-grained, role-based authorization capability to CAS server. It is based on custom generic set of authorization attributes configured for each registered service (which could mean anything e.g. roles, etc.) and a Spring Web Flow action state implementation which compares this set with a set of attributes of authenticated principals and makes authorization decisions based on these to sets. If authorization fails, then login flow is halted and service ticket is not vended.

The service authorization action state is further parameterized with a strategy RegisteredServiceAuthorizer API and a default implmentation is provided out of the box (which simply compares intersection of two sets of attributes and if any one value is matched, authorizes further processing)

Configuration

In WEB-INF/spring-configuration/serviceAuthorizationContext.xml 

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:cas="http://unicon.net/schema/cas"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://unicon.net/schema/cas http://unicon.net/schema/cas/cas-addons.xsd">

    <cas:service-authorization-action/>

</beans>

if you wish to plug in a different type of authorizer, just define a bean implementing RegisteredServiceAuthorizer interface and set the authorizer attribute:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:cas="http://unicon.net/schema/cas"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://unicon.net/schema/cas http://unicon.net/schema/cas/cas-addons.xsd">

    <bean id="myAuthorizer" class="com.mycompany.MyCustomAuthorizer"/>

    <cas:service-authorization-action authorizer="myAuthorizer"/>

</beans>
Clone this wiki locally