...
Panel | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||
Since CAS has become a service that can authenticate via may tiers (web, web service, etc.), it is no longer appropriate to merely monitor the service parameter. In CAS 3, in order to provide the same functionality, the CAS Core is wrapped via AOP. Any method in CentralAuthenticationService that provides access for a service (such as grantServiceTicket) is intercepted and checked against the whitelist. Additionally, one may provide a list of services that are allowed to proxy. On delegateTicket, this list is checked. If the service is not allowed access, an UnauthorizedServiceException is thrown, which can be caught by the tier that called the core. |
...
Panel | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||
Building on the ServicesRegistry, CAS allows the service to register a SSO callback with CAS. Using AOP we monitor the Ticket registry for the addition of Service Tickets (so we can keep track of the services for a TicketGrantingTicket and the removal of TicketGrantingTickets. On removal of a TicketGrantingTicket, we look to see if there are any entries in our map. We then match the service tickets to the service and execute its callback handler. |
...
Panel | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||
The default CAS 3 view does NOT automatically process anything with the url parameter. However, it would be trivial to swap out the current logout.jsp and replace it with one that checks that parameter and displays additional information. |
...
Panel | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||
Built into the Logout Controller, is logic that if it detects the service parameter is set, will attempt to redirect back to the service. |
...
Panel | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||
Within the model passed to the view on a ticket validation request, is an Assertion. The assertion includes what CAS asserts about the ticket. Part of this is a boolean of isFromNewLogin. Because this is automatically passed by the Controller, one just needs to modify the successful validation view they are using to display that parameter. |
...
Panel | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||
CAS 3 provides a pluggable point where you may provide a custom Principal and CredentialsToPrincipalResolver. As long as an object inheriting the Principal interface is returned, CAS has no preference as to the underlying implementation. This principal is passed on to the view. If you implement your own custom view (replacing the default success response, you may read any attributes that the principal has attached to it and return them. |