> My purpose is that, to prevent the person to login with another certificate > that isnt belonged to that person…
If you are concerned about certificate management, you would be better served to investigate hardware security devices that require a PIN/password to access the certificate on the device. We use the Aladdin eToken Pro for this purpose and have been reasonably satisfied all around. If you're already investing the time and resources in client auth and want really good security, why not go all the way with a hardware security device? Then you could simply use the X509CredentialsAuthenticationHandler to non-interactively authenticate users. > How can i get user name from x509 certificate and where can i modify the > related code? You'll likely need to modify the Spring Web flow to place an action before the viewLoginForm action in which your custom action will fetch the certificate out of the request: final X509Certificate[] certificates = (X509Certificate[]) context.getExternalContext().getRequestMap().get(CERTIFICATE_REQUEST_ATTRIBUTE); The above is copied directly from /cas-server-support-x509/src/main/java/org/jasig/cas/adaptors/x509/web/flow/X509CertificateCredentialsNonInteractiveAction.java, which you'll likely want to study. Once you have an X509Certificate object, you can just parse the subject DN to get the username, which presumably is in the the CN component. You'll then have to put the user name into the model passed to the login view, which you'll need to customize to set the username field and make it non-editable. Please note that the above strategy _in no way_ prevents a determined attacker from using a tool (e.g. WebScarab) to manually construct a request with any username they desire. For a high-security implementation, which client SSL authentication assumes, the best solution is a hardware security device to address the "right certificate, wrong user" concerns you mentioned above. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
