Hi
Her is more information about our problem. Our current login-webflow is
this:
...
<action-state id="startAuthenticate">
<action bean="x509Check" />
<transition on="success" to="viewLoginForm" />
<transition on="error" to="viewServiceErrorView" />
</action-state>
<view-state id="viewLoginForm" view="casLoginView">
<render-actions>
<action bean="authenticationViaFormAction"
method="setupForm"/>
<action bean="authenticationViaFormAction"
method="referenceData"/>
</render-actions>
<transition on="submit" to="bindAndValidate" />
</view-state>
<action-state id="bindAndValidate">
<action bean="authenticationViaFormAction" />
<transition on="success" to="submit" />
<transition on="error" to="viewLoginForm" />
</action-state>
<action-state id="submit">
<action bean="authenticationViaFormAction" method="submit"
/>
<transition on="warn" to="warn" />
<transition on="success" to="sendTicketGrantingTicket" />
<transition on="error" to="viewLoginForm" />
</action-state>
...
We are novices to the CAS codebase and have no real experience of it or
Tomcat. So far we see our choices are as follows:
1. Create a new authentication handler which checks both LDAP and X509
certificate (effectively a merged handler). We would base this new handler
on the BindLdapAuthenticationHandler class. The new handler would
authentication via LDAP and then call the
X509CredentialsAuthenticationHandler. This webflow is the reverse of that
above so that we can obtain the username/pass using the spring framework.
But how would we get the certificate to pass into the X509 handler?
2. Somehow modify the webflow to pass the principal from the X509 handler
to the LDAP handler. The LDAP handler then checks that the principal
matches the email address stored in the LDAP - this proves that the login
credentials match the certificate.
3. Modify AuthenticationManagerImpl to store the principal (globally)
which is set in the X509 handler and used in the LDAP handler to compare
against the email address in the LDAP.
Our favoured option is 1 or 2. 3 is the simple but by far the dirtiest.
Thoughts?
Regards
Mark
Mark McGillion Ph.D.| Head of Core Technology (UK)
Interactive Data Managed Solutions Ltd
------------------------------------------------------------------------------------------------------------------
Suite 1101 | Eagle Tower | Montpellier Drive | Cheltenham | GL50 1TA
Tel: +44 (0)1242 694123 | Fax: +44 (0)1242 694109 | Mobile: +44 (0)7876
020587
[email protected]
http://www.interactivedata-ms.com/
This message (including any files transmitted with it) may contain
confidential and/or proprietary
information, is the property of Interactive Data Corporation and/or its
subsidiaries, and is
directed only to the addressee(s). If you are not the designated recipient
or have reason to believe
you received this message in error, please delete this message from your
system and notify the sender
immediately. An unintended recipient's disclosure, copying, distribution,
or use of this message or any
attachments is prohibited and may be unlawful.
Interactive Data (Europe) Ltd Registered No. 949387 England Registered
Office:
Fitzroy House 13-17 Epworth Street. London. EC2A 4DL
Andy Cowling <[email protected]>
15/04/2009 11:10
To
Mark McGillion <[email protected]>
cc
Subject
Belt & braces authentication - checking X509 subject email against LDAP
email
To:
[email protected]
Hi there,
We currently have a CAS server installation running. We got the X509
authentication handler running (good!) and the LDAP authentication handler
running (also good!). But currently these two exist only as separate
sequential steps (not so good). What we ideally want is a configuration
whereby CAS will reject authentication requests where the supplied
certificate does not correspond to the person identified in the LDAP bind
step. (i.e., the certificate's subject email address does not match the
email address in the LDAP for the supplied username.)
>From what I've read of CAS it does not appear to support this. Any
certificate signed by a trusted CA is accepted by CAS. There is a way to
extract the subject email address from the certificate (using
credentialsToPrincipalResolver), and there's also a means to map from a
user id to an email address supplied in an LDAP - but it does not seem
possible to add custom logic to compare these two, (and if the check
passes, then populate the principal resolver with the username - not the
email address)
Currently one of our application servers has a single server+client
certificate signed by a well known root CA. Consequently, our CAS
installation will authenticate any visitor who presents a valid (server-)
certificate signed by this CA - regardless of the subject of the
certificate. This sadly renders the X509 check redundant as its trivial
for an external person to acquire a certificate from a root CA.
Furthermore we want to ensure that one of our employees cannot easily
access another user's account if they only have the other user's password.
Yet our current CAS installation allows this (i.e., they can just use
their own certificate - CAS doesn't care)
Is this something CAS can do for us? If not - is already on the radar
(wishlist) yet?
Cheers
Andy
Andy Cowling | UK Core IT
Interactive Data Managed Solutions Ltd
-------------------------------------------------------------------------------------------------------------------------------
Suite 1101, Eagle Tower | Montpellier Drive | Cheltenham GL50 1TA | UK
Tel: +44 (0)1242 6941 15 | Fax: +44 (0)1242 6941 01
[email protected]
http://www.interactivedata-ms.com
This message (including any files transmitted with it) may contain
confidential
and/or proprietary information, is the property of Interactive Data
Corporation
and/or its subsidiaries, and is directed only to the addressee(s). If you
are not
the designated recipient or have reason to believe you received this
message in
error, please delete this message from your system and notify the sender
immediately. An unintended recipient's disclosure, copying, distribution,
or
use of this message or any attachments is prohibited and may be unlawful.
Interactive Data (Europe) Ltd Registered No. 949387 England Registered
Office:
Fitzroy House 13-17 Epworth Street. London. EC2A 4DL
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
