Ok Marvin. Problem solved. I imported the CA in another JVM (yes, Im a noob)
Now evything seems to work, except the Resolver 010-02-23 16:00:12,519 DEBUG [org.springframework.web.servlet.DispatcherServlet] - Could not complete request org.springframework.webflow.engine.ActionExecutionException: Exception thrown executing [annotatedact...@1a21acf targetAction = org.jasig.cas.adaptors.x509.web.flow.x509certificatecredentialsnoninteractiveact...@18e2477, attributes = map[[empty]]] in state 'startAuthenticate' of flow 'login-webflow' -- action execution attributes were 'map[[empty]]'; nested exception is java.lang.ArrayIndexOutOfBoundsException: 1 Caused by: java.lang.ArrayIndexOutOfBoundsException: 1 at se.gu.cas.X509RegexpCertificateCredentialsToIdentifierPrincipalResolver.resolvePrincipalInternal(X509RegexpCertificateCredentialsToIdentifierPrincipalResolver.java:60) at org.jasig.cas.adaptors.x509.authentication.principal.AbstractX509CertificateCredentialsToPrincipalResolver.resolvePrincipal(AbstractX509CertificateCredentialsToPrincipalResolver.java:30) I will check the resolver. Thanks Marvin for your patience 2010/2/23 Marvin Addison <[email protected]> > > 2010-02-23 10:58:13,223 DEBUG > > > [org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction] > > - Certificates not found in request. > > This is the key to your problem. You must configure your Web server > to request a certificate from from the client. > http://www.ja-sig.org/wiki/display/CASUM/X.509+Certificates has an > example of the Tomcat connector configuration if you are using Tomcat > directly. You should set clientAuth="require" for testing to make > sure that a connection to CAS is not allowed unless the client > presents a certificate. We have a totally separate Web server port > (9443) for X.509 authentication to satisfy this use case. > > If you have Apache in front of Tomcat, you'll want to use the mod_ssl > directive SSLVerifyClient="require". I would do some testing with a > simple tool like wget to ensure the Web server is properly requiring > the certificate. Also, it sounds like the certificate may be coming > from a hardware security device. I'd recommend taking the hardware > out of the equation for testing and development and using a soft > certificate instead. (I can sympathize with the complexity of what > you're doing; we did the same thing a few years ago and it was a > bear.) > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
