x509 login

Marco Panella marco.panella at unipr.it
Fri Jul 6 11:00:43 EDT 2007 

Scott Battaglia wrote:
> Since you're using IBM's JVM, this may help:
> http://www.ibm.com/developerworks/forums/dw_thread.jsp?message=13885924&cat=51&thread=141188&treeDisplayType=threadmode1&forum=541#13885924
> <http://www.ibm.com/developerworks/forums/dw_thread.jsp?message=13885924&cat=51&thread=141188&treeDisplayType=threadmode1&forum=541#13885924>

Sorry for my "RTFM-like" question. :-)
I was pretty sure my searches were careful...


I succeded in authenticate users with x509 certificates using
org.jasig.cas.adaptors.x509.authentication.principal.X509CertificateCredentialsToIdentifierPrincipalResolver
to get the principal ID from the certificate information.

I use apache + mod_proxy_ajp to redirect requests to tomcat ajp
connector on port 8009.

If I present a certificate from another CA I will be correctly redirect
to the standard username-password login.


Now I'd like to solve three problems:

1) I am using v.3.0.6 and I'd like to verify that the ID is present in
my LDAP server; but I do not understand how to include
CredentialsToLDAPAttributePrincipalResolver.zip
from http://www.ja-sig.org/issues/browse/CAS-373 in my server.

2) With X509CertificateCredentialsToIdentifierPrincipalResolver my
application gets "$OU $CN" as principal ID; i.e. using esup-phpcas
library I get "Centro di Calcolo Elettronico marco.panella at unipr.it"
after a correct x509 authentication. I modify
./adaptors/x509/src/main/java/org/jasig/cas/adaptors/x509/authentication/principal/X509CertificateCredentialsToIdentifierPrincipalResolver.java
to get only the mail ($CN). Is there any other way, configuring the bean
in ../webapp/WEB-INF/deployerConfigContext.xml, to get the same result?
Is it correct to use:
<bean
class="org.jasig.cas.adaptors.x509.authentication.principal.X509CertificateCredentialsToIdentifierPrincipalResolver">
	<property name="identifier" value="$CN" />
</bean>
I tried it and it works, but I was not be able to find a page describing
how to use and to configure the different resolvers.

3) Is there a way to modify the configuration files to make the
authentication a double login, i.e. the user must provide a valid x509
certificate and use the correct username-password set, where the
username is the same CN from the certificate?

Best regards
Marco Panella

-- 
Ing. Marco Panella - tecnico di elaborazione dati
Settore Innovazione Tecnologie Informatiche, Universita' di Parma
Via G.P. Usberti, 17/A, I-43100, Parma, Italy
Phone:+39 - 0521 - 90 - 5470  Fax:  +39 - 0521 - 90 - 5469

More information about the cas mailing list