Announcement Announcement Module
No announcement yet.
authorities retrieval via remote service Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • authorities retrieval via remote service

    Our team has decided to use CAS as a single sign-on solution. CAS takes care of the username and password check but once that has succeeded, Acegi delegates to a CasAuthoritiesPopulator for retrieving the granted authorities. Since we do not want to repeatedly setup data sources within the app server for each of our webapps that need to retrieve authorities, we'd like to call a remote service to retrieve the authorities

    My question is how to do this best. Our solution so far is as follows:

    Separate webapp (let's say a2) exists to return authorities in an XML document in response to an HTTPS request from the webapp (let's say a1) requesting authorities. a2 is protected by Acegi and a1 is a CAS proxy on behalf of the user. The assumption is that some entity, whether it's a1 or the user being proxied will have to be authenticated and authorized to retrieve roles. I'm not sure which one. If the user is the entity being authenticated then the assumption is that each user has the authority to request and see his/her authorities. I'm not sure if there are security issues there.

    Does anyone see any holes or outright inaccuracies in the proposed solution?

    Has work already been done to put role retrieval behind a web service or any kind of remote service for that matter?


  • #2
    No work has been done on abstracting this behind a web service. Provided that you implement a suitable CasAuthoritiesPopulator it does not matter where your GrantedAuthority[]s come from.

    The practical solution most people go for is to use DaoCasAuthoritiesPopulator with a single shared backend Authentication repository. Alternatively, use a custom CasAuthoritiesPopulator but retrieve the information from LDAP, and that way it's more easily accessible by non-CAS applications. It also moves responsibility for administration and directory replication to a more dedicated system.

    A web service will work, though.