在CAS中,如果尚未接受协议,我如何才能限制仅访问一项服务? [英] In CAS how can I restrict access to only one service if agreement is not yet accepted?
问题描述
有一项要求,用户必须首先接受某些许可协议,该协议仅在serviceA中存在,以便能够登录所有其他服务。
There is a requirement that the users should first accept some license agreement, which exists only in serviceA, in order to be able to login to all other services.
因此该过程应为:
- 用户通过CAS登录。
- 因为他没有接受协议,所以只能登录serviceA
- 当他接受serviceA协议时,便可以登录其他服务
注意:
serviceA以外的服务代码无法修改。
CAS也可以访问Agreement_accepted标志。
Notes:
The code for services other than serviceA cannot be modified.
Also CAS has access to the agreement_accepted flag.
使用的CAS版本:5.3.4
CAS Version used: 5.3.4
推荐答案
假定 agreement_accepted 是身份验证用户的属性,则可以设计两个访问策略S1和S2,分别应用于服务A和所有其他
Assuming agreement_accepted is an attribute for the authenticating user, you can design two access strategies, S1 and S2, that apply to service A and all other applications.
- 对于S1,该策略是CAS中的默认策略,其中授予服务A的访问权限没有问题。
- 对于S2,您可以将策略配置为仅授予
agreement_accepted作为属性的值,才授予对应用程序的访问权限并允许CAS发出票证,例如,true。
- For S1, the strategy is the default in CAS where access to service A is granted without issues.
- For S2, you can configure the strategy to only grant access to the application and allow CAS to issue a ticket, if
agreement_acceptedas an attribute has a value of, let's say,true.
此处详细介绍了服务/应用程序的访问策略:
https://apereo.github.io/cas/5.3.x/installation/Configuring-Service-Access -Strategy.html
Access strategies for services/applications are detailed here: https://apereo.github.io/cas/5.3.x/installation/Configuring-Service-Access-Strategy.html
您需要确保将S2分配给所有其他应用程序,但服务A的记录除外。
You will need to make sure S2 is assigned to all other applications, except the record for Service A.
PS您也可以考虑将CAS版本提高到5.3.8,这是撰写本文时5.3.x中的最新版本。
PS You may also consider bumping your CAS version to 5.3.8, which is the latest in 5.3.x as of this writing.
这篇关于在CAS中,如果尚未接受协议,我如何才能限制仅访问一项服务?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
