CAS on 3.0 (Was Re: Hiding a Portlet in a Filesystem Package)

Derek Richardson derek.richardson at gatech.edu
Wed Oct 17 00:47:44 UTC 2007


Matthew Wilkes wrote:
> 
> On 17 Oct 2007, at 00:48, Derek Richardson wrote:
> 
>> Matthew Wilkes wrote:
>>> On 16 Oct 2007, at 23:23, Derek Richardson wrote:
>>>> Hey. I'm writing a package to provide a Plone 3.0-compatible UI for 
>>>> PAS4CAS - a replacement for PloneCASLogin, which has not been 
>>>> updated. The basics work. I now want to hide the login portlet, 
>>>> since it is non-functional and confusing with CAS.
>>> Hi Derek,
>>>  From my own dealings with CAS, the login form is certainly not 
>>> non-functional, it's only non-functional if CAS is the sole means of 
>>> authentication.
>>
>> Hmmm. Under what conditions would you have two means (CAS + other) of 
>> authentication? If there is a use case there, I need to think about 
>> it. But it seems very strange to me. ;)
> 
> My students' union.  The following is at various levels of implementation:
> 
> There are the following types of users:
> 
> 1) Current students (CAS)
> 2) Staff (CAS)
> 3) Ex-students (maybe LDAP, maybe a different CAS server, maybe 
> something else)
> 4) Honorary Members (Membrane)
> 5) Associate members (Custom PAS or heavy-lifting with Membrane)
> 6) Affiliate members (IP matching/membrane)
> 
> The basic reasoning being there is a CAS server for current members of 
> the university, an LDAP directory of ex members and local storage of the 
> small number of people who are members of the union and not the university.

OK, I see the use case now.

>>> I recommend creating your own CAS login portlet with a link to your 
>>> CAS provider and letting the user hide or show the standard login 
>>> portlet as needed.
>>
>> Ah, that's what old PloneCASLogin did that I never understood. I mean, 
>> if the 'login' link is on the personal bar always and does just as 
>> good as a big 'CAS' button, then why spend the screen real estate? 
>> But, again, if there's a legit use case here, I should consider it.
> 
> The login link can be overridden by customisers, it's not the place of 
> your plugin to say what the main method of authentication is.

Hmmm. Like I told Martin, my package is *just* ui, not the underlying CAS PAS 
plugin. So, if I exclude everything customizers do, then my package disappears.

Maybe I just need a change in marketing rhetoric. My package is NOT for all CAS 
deployments, especially ones involving multiple auth methods. My package is 
simply so that folks who want CAS and only CAS and don't know how to do the UI 
(I didn't when I started a year and a bit ago) have an easy way to get started - 
install my package and BOOM, you have CAS working in the ui in a basic, 
covers-the-80%-of-simple-cases-well way. Like PloneCASLogin does for pre-3.0 sites.

So, the login button change is the most important thing. Hiding the portlet will 
be detailed in the README, 'cause it's simple TTW and *hard* with GS. That 
leaves the logout link redirecting to the login page. I won't customize the 
login page in my product, because, I now realize, that would be too invasive. So 
I'll just look for a way to make the logout link log the user out and redirect 
them to site root. Do you think that is acceptable?

>> I don't think we're going to use either of these (two auth mechs or 
>> big CAS button) at Georgia Tech, but, if I'm going to do battle with 
>> our legal dept to release this publicly (and I plan to), then I want 
>> to do it right to make the effort worthwhile.
> 
> I recommend talking to Pete Walker at the University of Bristol, as I 
> know they're looking to do some work with Plone 3 and we use CAS 
> extensively.  I've CCed him in.

I didn't CC him on this because I don't have Thunderbird (I read this as a gmane 
newsgroup) set up to do email. But hopefully he'll drop in and let us know what 
he thinks.

>> BTW, Matt, is was *great* sprinting with you this weekend. I really 
>> appreciate your contributions to Vice.
> 
> I'm glad to be of help, sorry about the disappearing act yesterday, was 
> in a political party headquarters just as the leader stepped down, had 
> to give up my ethernet port pretty sharpish.  You'll be happy to know I 
> have a working portal_syndication, I'm working on updating the GUI.

np, I know we all have day jobs and priorities. 'w00t!' on the working syntool 
replacement. I'll watch the logs so I can look at it hot off the kbd. I plan to 
cut an alpha2 within the next few weeks with a few more features - we'll slide 
in the syntool and hopefully wooda's work on documents as feeds, perhaps a few 
other things as well.... ;)

Derek





More information about the Product-Developers mailing list