AllowedAuthenticationHandlers for RegisteredService
Use case :
We have a lot of users repositories, thus, a lot of Authenticationhandlers. And some applications should only be accessed by some specific repositories, that is to say, by some specific AuthenticationHandlers.
It would be nice to be able to dedicate some AuthenticationHandler to specific RegisteredService : We could define a link between applications and repositories ie : if you have a database of credentials specific to some applications, you could link the AuthenticationHandler of this database and the RegisteredServices of these applications which users are stored in this database.
This would lead to define users communities and specify, for each applications, which community/ies (ie AuthenticationHandlers) is allowed to access this application.
A 'default' RegisteredService with a list of default AuthenticationHandlers would be used when no service parameter is provided.
Implementation ideas :
- If no registeredService is defined, CAS should behave just like it does now : treat all the services with the list of AuthenticationHandlers defined in the AuthenticationManager
- The services management interface should allow to specify the (ordered?) list of authenticationHandler for a registered Service among a list of available AuthenticationHandler
- An authenticationHandlerRepository could be used to store the available authenticationHandlers
- AuthenticationHandler could have a name/id to be easily administered
- When logging in, the provided credentials should be validated through the list of AllowedAuthenticationHandlers of the RegisteredService of the service parameter if specified, of the default RegisteredService if not specified
- Authentication should keep a trace of the AuthenticationHandler that validated the credentials so that grantingServiceTicket could check that the authenticationHandler used for authentication is in the list of AllowedAuthenticationHandler for this service (ie RegisteredService)