> The question is this: If we require a client certificate from visitors in > order to log them in, how can we also redirect certificate-less visitors to > an error page (where we could explain that certs are required).
You absolutely can do this -- we do, and it's "the right thing" in my opinion. The usability of CAS is dramatically decreased for client SSL-based authentication when you rely on the browser to present meaningful error messages. The core idea is to use the "optional" client SSL directive in the container that is terminating the SSL connection. If you are using Apache or the Tomcat APR connectors, the setting is SSLVerifyClient, http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslverifyclient. For Tomcat or JBoss using the default pure-java connectors, the setting is clientAuth="want" in the <Connector> element; see http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html for more information. With optional client cert sending enabled, you can then modify the login-webflow to show a custom certAuthenticationFailed.jsp view when the non-interactive X.509 handler fails: <action-state id="startAuthenticate"> <action bean="x509Check" /> <transition on="success" to="sendTicketGrantingTicket" /> <transition on="error" to="handleCertAuthFailure" /> </action-state> <decision-state id="handleCertAuthFailure"> <if test="${externalContext.request.serverPort == 9443}" then="viewCertAuthFailurePage" else="viewLoginForm" /> </decision-state> Note the port 9443 check. In our setup we use a special port to handle client SSL authentication since we allow the user to choose between user/pass auth and client SSL w/X.509 cert. Good luck, M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
