Error Found In the Resolver...
I have CN="xxxxxx yyyyy, zzzz vvvv (AUTENTICACIÓN)", GIVENNAME=xxxxx yyyyy, SURNAME=zzzzz, SERIALNUMBER=**********, C=ES" from issuer It fails parsing because xxxxxx yyyyy, zzzz vvvv Cas splits entries with "," and thats why it fails. I should change the code Thanks Pablo Mosquera T 2010/2/23 Pablo Mosquera Saenz <[email protected]> > Ok Marvin. Problem solved. I imported the CA in another JVM (yes, Im a > noob) > > Now evything seems to work, except the Resolver > > 010-02-23 16:00:12,519 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - Could not complete > request > org.springframework.webflow.engine.ActionExecutionException: Exception > thrown executing [annotatedact...@1a21acf targetAction = > org.jasig.cas.adaptors.x509.web.flow.x509certificatecredentialsnoninteractiveact...@18e2477, > attributes = map[[empty]]] in state 'startAuthenticate' of flow > 'login-webflow' -- action execution attributes were 'map[[empty]]'; nested > exception is java.lang.ArrayIndexOutOfBoundsException: 1 > Caused by: java.lang.ArrayIndexOutOfBoundsException: 1 > at > se.gu.cas.X509RegexpCertificateCredentialsToIdentifierPrincipalResolver.resolvePrincipalInternal(X509RegexpCertificateCredentialsToIdentifierPrincipalResolver.java:60) > at > org.jasig.cas.adaptors.x509.authentication.principal.AbstractX509CertificateCredentialsToPrincipalResolver.resolvePrincipal(AbstractX509CertificateCredentialsToPrincipalResolver.java:30) > > I will check the resolver. > > Thanks Marvin for your patience > > > 2010/2/23 Marvin Addison <[email protected]> > > > 2010-02-23 10:58:13,223 DEBUG >> > >> [org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction] >> > - Certificates not found in request. >> >> This is the key to your problem. You must configure your Web server >> to request a certificate from from the client. >> http://www.ja-sig.org/wiki/display/CASUM/X.509+Certificates has an >> example of the Tomcat connector configuration if you are using Tomcat >> directly. You should set clientAuth="require" for testing to make >> sure that a connection to CAS is not allowed unless the client >> presents a certificate. We have a totally separate Web server port >> (9443) for X.509 authentication to satisfy this use case. >> >> If you have Apache in front of Tomcat, you'll want to use the mod_ssl >> directive SSLVerifyClient="require". I would do some testing with a >> simple tool like wget to ensure the Web server is properly requiring >> the certificate. Also, it sounds like the certificate may be coming >> from a hardware security device. I'd recommend taking the hardware >> out of the equation for testing and development and using a soft >> certificate instead. (I can sympathize with the complexity of what >> you're doing; we did the same thing a few years ago and it was a >> bear.) >> >> M >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
