Hi Rafael,
Thanks for the answer.
I do actually have my set up working now but it involves a couple of extra
Java classes so if I am doing it wrong then I don't mind eliminating them.
I may have my understanding backwards for Acegi and CAS but I was under the impression that:
1) A user requests a page that first requires authentication and Acegi Security (which is acting as the CAS client for JForum) redirects to the CAS login page;
2) The user logs into CAS and is sent back to Acegi Security;
3) Acegi Security now checks in the JForum database to see if the user who logged into CAS has a login in the JForum database in order so that it can check their permissions;
4) If the resource the user originally requested is allowed based upon both URL and permissions (as defined in the acegi-security.xml) then Acegi Security allows access to the requested page.
I am not sure, at least in the way I have things set up, that JForum even gets a look in until the user is already authenticated and at the page that required the log in.
[originally posted on jforum.net by klogger]