I have integrated CAS with JForum using Acegi Security. Unfortunately, it looks like I need to have the user registered in the JForum database (so that user permissions get passed to CAS) with the way I have things set up. I am currently doing a http post of the user data from my own registration page to the JForum API which then registers the user in the JForum database. The problem is that when I set JForum to use SSO the user registration is disabled and so my post fails. So, is there a simple way to enable SSO but not have it disable the registration page?
Failing a simple solution, I think I would be looking towards editing the source code that prevents user registration when SSO is enabled. Can anyone point me in the direction of the part in the API that handles user registration? I had a quick 20 minute look but couldn't find it.
If I am doing this the wrong way then I would be happy to learn the alternatives. [originally posted on jforum.net by klogger]
It is the file UserAction.java, method insertSave(). However, SSO already registeres the user when he first logs in in JForum. In other words, when you enable SSO and the user who's landing on the forum does not exist in jforum_users yet, JForum will automatically create it and associate with the sso user.
Rafael [originally posted on jforum.net by Rafael Steil]
I do actually have my set up working now but it involves a couple of extra Java classes so if I am doing it wrong then I don't mind eliminating them.
I may have my understanding backwards for Acegi and CAS but I was under the impression that:
1) A user requests a page that first requires authentication and Acegi Security (which is acting as the CAS client for JForum) redirects to the CAS login page;
2) The user logs into CAS and is sent back to Acegi Security;
3) Acegi Security now checks in the JForum database to see if the user who logged into CAS has a login in the JForum database in order so that it can check their permissions;
4) If the resource the user originally requested is allowed based upon both URL and permissions (as defined in the acegi-security.xml) then Acegi Security allows access to the requested page.
I am not sure, at least in the way I have things set up, that JForum even gets a look in until the user is already authenticated and at the page that required the log in.
[originally posted on jforum.net by klogger]
Oh, sure, you could do that. Or you could eat some pie. While reading this tiny ad: