> 14:54:20,892 ERROR [STDERR] javax.net.ssl.SSLHandshakeException: Received > fatal alert: bad_certificate ... > sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234) > > 14:54:20,902 ERROR [STDERR] at > edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:52) > > 14:54:20,903 ERROR [STDERR] at > edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:138) > > 14:54:20,903 ERROR [STDERR] at > edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50) > > 14:54:20,904 ERROR [STDERR] at > org.jboss.portal.identity.sso.cas.CASAuthenticationValve.getAuthenticatedUser(CASAuthenticationValve.java:272)
As you can see this exception is coming from the ticket validation step. The CAS client will _never_ present a client certificate because HttpsURLConnectionImpl, which is used to establish the connection, does not support sending a client certificate. If you need a CAS client that has SSL client auth support, you'll have to create extensions to handle that. The Apache commons-httpclient library has support for SSL client auth, so you can start there if you really need client auth for the ticket validation step. Having said that, I would recommend that you set up a separate connector on another port that does not require client auth and validate tickets there. CAS tickets are one-time-use credentials by default, so client authentication on top of that seems like a lot of effort for relatively little additional security. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
