Thanks Scott! Very helpful feedback.
-Duffy
------------------------------
Duffy Gillman
Sr. Software Engineer
rSmart
On Sep 9, 2009, at 7:07 PM, Scott Battaglia wrote:
In Wed, Sep 9, 2009 at 6:30 PM, Duffy Gillman <du...@rsmart.com>
wrote:
Hi -
I'm working to provide CAS client integration for Sakai in a
sustainable fashion. I've run into some strange discrepancies
regarding CAS and I'm hoping folks on this list will be able to
help me sort through 'best practices'. I appreciate any insight
folks can lend.
First, the documentation for CASifying Sakai ([1] and [2]) and the
documentation on the JA-SIG site [3] depict configuration of 2.1.1
versions of the CAS Java client. However, it is clear from the CAS
wiki that 3.1.x versions are current [4]. Is there a reason that
JA-SIG is still promoting 2.1.1 that I should be aware of, or
should I chalk this up to stale documentation?
The current actively developed CAS Client for Java is the Jasig CAS
Client for Java 3.1.x (where x is currently 7, but will soon be
8 ;-)). That said, the Yale CAS Client still works. We detail in
our wiki (http://www.ja-sig.org/wiki/display/CASC/Home) the various
levels of support and labeling for various clients. We've been
actively maintaining the wiki for our client documentation.
Unfortunately some of the older site content got transferred to the
new site. We're actively working on defining some CAS volunteer
positions and one of them will hopefully be a CAS Webmaster who can
clean up the mess!
Second, Spring Security suggests a model for CAS client integration
which seems a bit foreign. In their reference document
SpringSource depicts configuring a CAS client of their creation
[5]. In their configuration CasAuthenticationProvider is wired up
in Spring and must be supplied with a UserDetailsService whose role
appears to be to provide user attributes from some client-side
source. This seems counter-intuitive and out-of-scope if one is
simply aiming to authenticate a user (clearly the new Saml
assertion capabilities of CAS and the use of Shibboleth make
attribute lookup feasible... but should it really be part of every
CAS integration scenario?). Am I missing something?
The Spring Security model is a generic model that supports multiple
scenarios. One scenario is loading those attributes from another
source, such as LDAP or a database since the SAML 1.1 support is
relatively new in Spring Security (it was not available until they
upgraded to the more recent CAS Clients) and CAS2 protocol typically
relied on another mechanism for attributes. Spring Security 3 will
include some helper UserDetailsServices that allow for better
integration with the Assertion returned by the CAS Client. The
trunk of Spring Security 3 includes such code (I wrote it, though it
hasn't been tested yet ;-))
Hopefully that answers some of your questions. The CAS Client for
Java 3.1.x mostly handles the authentication interaction piece with
CAS and is designed such that if heavy-duty authorization is
required it can integrate with other frameworks/libraries such as
Spring Security (or something in Sakai).
Cheers,
Scott
Thanks in advance,
Duffy
[1] http://confluence.sakaiproject.org/display/SAKDEV/CASifying+Sakai
[2] http://confluence.sakaiproject.org/display/~steve.swinsburg/
CASifying+Sakai
[3] http://www.jasig.org/cas/client-integration/java-client
[4] http://www.ja-sig.org/wiki/display/CASC/CAS+Client+for+Java+3.1
[5]
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/cas.html#cas-client
------------------------------
Duffy Gillman
Sr. Software Engineer
rSmart
--
You are currently subscribed to cas-dev@lists.jasig.org as:
scott.battag...@gmail.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev
--
You are currently subscribed to cas-dev@lists.jasig.org as: du...@rsmart.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev
--
You are currently subscribed to cas-dev@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev
