Thanks for the feedback. I had just looked at the overlay stuff very briefly.
Let me try and explain what I have been told to do. We have many CASifyed applications on campus. I have been informed that they cannot be modified. We need them to accept Access Manager (yes Open SSO) tokens in addition to CAS tickets as a valid credential. When the CAS filter redirects the application to the CAS server we want to intercept the request and see if there is a Access Manager token (cookie) and validate it. If the token is valid we want to return to the filter that the user is valid. Same as if the application had a valid CAS ticket. If there is no Access Manager token or it is invalid we want CAS to continue to follow it's normal processing and return that user is authenticated or if not present the CAS login page. A little knowledge is dangerous. My architect read the wiki page on X509 handlers and decided it would be very easy to just write a handler that is configured the same way (pom.xml, web-flow.xml, cas-serlvet.xml) but instead of validating an x509 cert it would simply validate the Access Manager token. In his opinion I just need to write a org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction but call it org.jasig.cas.adaptors.x509.web.flow.AccessManagerCredentialsNonInteractiveAction. And write a org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler called org.jasig.cas.adaptors.x509.authentication.handler.support.AccessManagerCredentialsAuthenticationHandler. Then org.jasig.cas.adaptors.x509.web.flow.AccessManagerCredentialsNonInteractiveAction would pull the Access Manager token off the Spring RequestContext and call it a Credential. This credential would then been passed to the org.jasig.cas.adaptors.x509.authentication.handler.support.AccessManagerCredentialsAuthenticationHandler doAuthenticate() method which would validate the token. He is convinced this is the way to go, it's easy and I should have it completed by Friday. My personal feeling is that this a hack and kludge, but I have little or no say in the matter. But I will do my best to implement this using the overlay method. Regards, Bryan -----Original Message----- From: Marvin S. Addison [mailto:marvin.addi...@gmail.com] Sent: Monday, July 06, 2009 5:50 PM To: cas-dev@lists.jasig.org Subject: Re: [cas-dev] How to add an Authentication Handler > I am going to use the x509 handler as a template unless anyone has a > better suggestion. Use the existing handler that is most like the one you are planning to write. Is this the Sun Access Manager SSO product? I know nothing about it, but unless it uses client certificates, the X.509 handler is probably the wrong choice. Certificate handling code is pretty specific to a single purpose. > 1. Get CAS into a source control system > 2. Modify the cas-server-webapp/pom.xml to recognize my new > handler package > 3. Include my handler in source structure > 4. Add our existing Access Manager jar files and Access > Manager SDK jars files to the source (modify the pom.xml to find > them?) I would not advise the above strategy. You would be better served to create a new Mavenized project containing your authentication handler, and add a dependency to it like any other module using the tried and true Maven War overlay process, http://www.ja-sig.org/wiki/display/CASUM/Maintaining+local+customizations+using+Maven+2 . > 5. Add entry to web-flow.xml for my handler (how do I choose > "action-state id"?) > a. I can't find either "startAthenticate" or "x509Check" in > the source It's not clear that you need to modify the Web flow. The only reason the Web flow has a special check for X.509 certificates is because the client certificate is immediately available after the SSL handshake and substitutes for username/password credentials being posted by the login form. Does Access Manager have a similar flow where a token substitutes for username/password credentials? If not you probably don't need to modify the Web flow. M -- You are currently subscribed to cas-dev@lists.jasig.org as: bwoo...@acs.utah.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
