x509 authentication AND a user repository

Scott Battaglia scott_battaglia at rutgers.edu
Mon Jun 19 09:43:57 EDT 2006 

Velpi,

Since you have your complete list of users in your user repository you 
could use the Authentication Handlers unmodified (just limiting using 
the subject DN) and then use the custom CredentialsToPrincipalsResolver 
to turn the credentials into a Principal (and returning null if none can 
be found).

The default AuthenticationManager is designed to throw an 
UnsupportedCredentialsException if the Principal cannot be created, 
which effectively stops the login process.

-Scott

Velpi wrote:
> Hi,
>
> I am very happy to have succesfully set up the x509 authentication for CAS (I'm 
> using the Belgian e-id and that works great; Tomcat only setup).
> However I don't want all Belgian citizens to be able to login to our CAS (they 
> all have a trusted certificate). And I don't want to list all our user DNs in 
> the CAS configuration either ;). So I should check the certificate data against 
> our user repository. I suppose it is best to write a new x509 authHandler that 
> checks a certain part of the certificate against our user repository (LDAP). Any 
> other ideas?
>
> The next step for us will be to translate certificate data into our current 
> userId (which is not in the certificate, but in our user repository). That's 
> certainly needed since it is impossible to change for example all email accounts 
> (for webmail using CAS). That way we can also use both client certificates 
> (smartcards) and usernamePassword interchangeable. In a later phase we would 
> start limiting certain users to only use the certificate when using CAS login 
> (that's a feature we'll want to see in our LDAP or RADIUS authHandler but I 
> think we can configure that in our LDAP backend too). In the CAS logic it feels 
> best to do this translation in a "credentialsToPrincipalResolvers" implementation.
>
> However it feels as if both operations could be done more efficiently in one 
> pass. Any ideas about that?
>
>
> Thank you very much!
> [of course, if my code works I'd happy to donate it to the CAS project so a lot 
> of people can benefit from it]
>
>
> --Velpi
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>

More information about the cas mailing list