Actually, i didnt mention one point..we use in our system, Aladdin.. But i dont know this property, thanks for your reply.. But again i need the username in login screen , because the customer doesnt want to write his/her username, because it alreadys exists in certificate..
-----Original Message----- From: Marvin Addison [mailto:[email protected]] Sent: Friday, July 10, 2009 3:59 PM To: [email protected] Subject: Re: [cas-user] x509 certificate name in cas login screen > My purpose is that, to prevent the person to login with another certificate > that isnt belonged to that person If you are concerned about certificate management, you would be better served to investigate hardware security devices that require a PIN/password to access the certificate on the device. We use the Aladdin eToken Pro for this purpose and have been reasonably satisfied all around. If you're already investing the time and resources in client auth and want really good security, why not go all the way with a hardware security device? Then you could simply use the X509CredentialsAuthenticationHandler to non-interactively authenticate users. > How can i get user name from x509 certificate and where can i modify the > related code? You'll likely need to modify the Spring Web flow to place an action before the viewLoginForm action in which your custom action will fetch the certificate out of the request: final X509Certificate[] certificates = (X509Certificate[]) context.getExternalContext().getRequestMap().get(CERTIFICATE_REQUEST_ATTRIBU TE); The above is copied directly from /cas-server-support-x509/src/main/java/org/jasig/cas/adaptors/x509/web/flow/ X509CertificateCredentialsNonInteractiveAction.java, which you'll likely want to study. Once you have an X509Certificate object, you can just parse the subject DN to get the username, which presumably is in the the CN component. You'll then have to put the user name into the model passed to the login view, which you'll need to customize to set the username field and make it non-editable. Please note that the above strategy _in no way_ prevents a determined attacker from using a tool (e.g. WebScarab) to manually construct a request with any username they desire. For a high-security implementation, which client SSL authentication assumes, the best solution is a hardware security device to address the "right certificate, wrong user" concerns you mentioned above. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user __________ NOD32 4219 (20090705) Bilgi __________ Bu mesaj NOD32 Antivirüs Sistemi tarafýndan kontrol edilmiþtir. http://www.nod32.com.tr Internal Virus Database is out-of-date. Checked by AVG. Version: 7.5.557 / Virus Database: 270.12.10/2088 - Release Date: 4/30/2009 6:01 AM Internal Virus Database is out-of-date. Checked by AVG. Version: 7.5.557 / Virus Database: 270.12.10/2088 - Release Date: 4/30/2009 6:01 AM Dikkat: Bu elektronik posta mesaji kisisel ve ozeldir. Eger size gonderilmediyse lutfen gondericiyi bilgilendirip mesaji siliniz.Firmamiza gelen ve giden mesajlar virus taramasindan gecirilmektedir. Mesajdaki gorusler gondericiye ait olup HAVELSAN A.S. resmi gorusu olmak zorunda degildir. Attention: This e-mail message is private and privileged.If you are not the recipient for whom this e-mail message is intended, please notify the sender immediately and delete this e-mail message from your system.All sent and received e-mail messages go through a virus scan. Any opinions presented in this e-mail message are solely those of the author and do not necessarily represent HAVELSAN A.S.`s formal and authorized views. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
