x509 authentication AND a user repository
Velpi
velpi at industria.be
Fri Jun 16 07:22:01 EDT 2006
Hi,
I am very happy to have succesfully set up the x509 authentication for CAS (I'm
using the Belgian e-id and that works great; Tomcat only setup).
However I don't want all Belgian citizens to be able to login to our CAS (they
all have a trusted certificate). And I don't want to list all our user DNs in
the CAS configuration either ;). So I should check the certificate data against
our user repository. I suppose it is best to write a new x509 authHandler that
checks a certain part of the certificate against our user repository (LDAP). Any
other ideas?
The next step for us will be to translate certificate data into our current
userId (which is not in the certificate, but in our user repository). That's
certainly needed since it is impossible to change for example all email accounts
(for webmail using CAS). That way we can also use both client certificates
(smartcards) and usernamePassword interchangeable. In a later phase we would
start limiting certain users to only use the certificate when using CAS login
(that's a feature we'll want to see in our LDAP or RADIUS authHandler but I
think we can configure that in our LDAP backend too). In the CAS logic it feels
best to do this translation in a "credentialsToPrincipalResolvers" implementation.
However it feels as if both operations could be done more efficiently in one
pass. Any ideas about that?
Thank you very much!
[of course, if my code works I'd happy to donate it to the CAS project so a lot
of people can benefit from it]
--Velpi
More information about the cas
mailing list