Marvin Thanks again for your support.
Just to be clear, pulling the email address from the cert and resolving to a username in LDAP is required for authentication, not authorization(!) We don't want to authenticate any user who provides a cert that does not correspond to the login name they use in the web form.
Using the method you recommended we cannot subclass BindLdapWithX509AuthenticationHandler, because the vital method authenticateUsernamePasswordInternal is defined "final" in the base class, therefore we cannot override it (which as I understand we really need to). Instead we must duplicate the whole class under another name. This is certainly not a show stopper, but makes the implementation less clean.
I assume that we would then have to extract the email address from the certificate in the credentials object (in authenticateUsernamePasswordInternal) and then compose an LDAP filter that checks both email address and uid. This also requires replacing the current use of LdapUtils.getFilterWithValues with our own (similar but extended code). We can then do a single LDAP lookup using a filter "|((uid=<username from webform>)(mail=<mail from cert>))". Is this what you had in mind? If so, we shall go ahead and try out that implementation next week.
Thanks again. Cheers Andy Marvin Addison wrote:
Sorrry, I meant to ask if CredentialsToLDAPAttributePrincipalResolver can be used to achieve thisNo. While it is common to use that component with X.509 auth to transform the DN into a more user-friendly principal name via LDAP lookup, your use case, as I understand it from previous posts, is to have chained authentication handlers and do the email verification as an authorization check. The crux of your problem is that CAS is designed to authenticate with the first available handler for a particular credential type. You'll have to write your own authentication handler that does X.509 followed by the LDAP bind/search to lookup the authorization data you need. I'm pretty sure the outline I wrote up for you in response to your previous post is your best bet. Even if you decide on another implementation, I'm fairly certain you will need to write some code to address this use case. M
-- *Andy Cowling | UK Platform Management* *Interactive Data Managed Solutions Ltd* ----------------------------------------------------------------------------------- Suite 1101, Eagle Tower | Montpellier Drive | Celtenham GL50 1TA | GL50 1LE Tel: +44 (0)1242 6941 15 | Fax: +44 (0)1242 6941 01 [email protected] http://www.interactivedata-ms.com/This message (including any files transmitted with it) may contain confidential and/or proprietary information, is the property of Interactive Data Corporation and/or its subsidiaries, and is directed only to the addressee(s). If you are not the designated recipient or have reason to believe you received this message in
error, please delete this message from your system and notify the sender immediately. An unintended recipient's disclosure, copying, distribution, or use of this message or any attachments is prohibited and may be unlawful.Interactive Data (Europe) Ltd Registered No. 949387 England Registered Office:
Fitzroy House 13-17 Epworth Street. London. EC2A 4DL
smime.p7s
Description: S/MIME Cryptographic Signature
