CAS server (3.5.x at the moment). I've been asked to look into feasibility of restricting access of a dynamic subset of users to a subset of CAS clients based on a criterion evaluated at the CAS server. If the user meets the condition, they have unrestricted access to our CAS clients. If the user does not, they may access only a (severely) restricted set of CAS clients.
Specifically, this is to meet a training requirement, with a penalty (the restriction) imposed for not doing so. My initial thought is to try to wire in two service registries, one restricted, the other unrestricted, with a bit of glue code to keep track of them, then use a PersonDirectory attribute(s) as condition on which registry to choose. The general CAS Spring webflow seems to start with validating a service (from a single service registry) before moving on to the credentials webflow. In my 'hypothetical' case, I'd need to invert that: resolve the user and attributes, then use that information to choose which set of valid services to test (cf. ssoEnabled). To me, this sounds like a fair amount of risky work. Anyone have/use a case like this before? How did you approach it? If not, how might one approach this? Any different for CAS 4.x? Thanks! Tom. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
