There is a realm and valves in tomcat that allows to use CAS in no-CAS aware web applications : https://wiki.jasig.org/display/CASC/Tomcat+Container+Authentication
But I think it misses a few things : - it should be possible to encore security in a application even if it's developper forgot to prepare the web.xml for it. - it can't map CAS group to application role. - it should extract CAS attributes and file the http session with them, so the web application can use it. The mapping from one attribute to the other should be user defined. I wrote a realm for that : https://github.com/fbacchella/CasRealm Any feed back is welcome. This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged. If you are not one of the named recipients or have received this email in error, (i) you should not read, disclose, or copy it, (ii) please notify sender of your receipt by reply email and delete this email and all attachments, (iii) Dassault Systemes does not accept or assume any liability or responsibility for any use of or reliance on this email. For other languages, go to http://www.3ds.com/terms/email-disclaimer -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user