Le 10/06/2011 16:19, Marvin Addison a écrit :
Thank you for this precision, indeed another colleague logged in and only his client certificate has been checked, no issuer check has been done, although we use both Firefox 4. I now understand the difference of behaviour : it's client related.If I'm not mistaken, two checks are done : - Issuer CRL check first - Subject CRL checkThat's not strictly the case. The handler evaluates every certificate in the chain provided by the client. In the simple case of chain length 2, then it's equivalent to what you said, but it could involve more or fewer depending on the certificate (chain) provided by the client.
My problem is that issuer CRL is only available through a LDAP query... and it seems that CRL cannot be checked when they are provided by LDAP directoryThat's correct. I only provided support for HTTP URIs since I didn't have a use case for any other scheme. If you want ldap support, please open an improvement issue at https://issues.jasig.org/browse/CAS and I'll investigate. As a workaround, you could create a process that periodically pulls the CRL and publishes it to a location accessible via HTTP, then use ResourceCRLRevocationChecker at one or more fixed URLs. Note this component can support multiple CRLs at multiple URLs if you have different issuers.
Improvement issue opened sir :-).
But I have now another problem... HTTP CRL fetching is only possible if JVM uses proxy, so I've searched the web and found that I can start tomcat with java options like : -Dhttp.proxyHost=<proxy-address> -Dhttp.proxyPort=8080 -Dhttp.nonProxyHosts=”host1|*.my-domain|127.0.0.1|172.16.*"
It works... but single sign out is now broken : POST logout queries are sent through my proxy instead of directly to the local web server !
I also read that a more flexible way is to use ProxySelector class but I don't know how to add that to CAS...
Thanks a lot for the time spent to answer my problems. Rgds. -- Philippe MARASSE Service Informatique - Centre Hospitalier Henri Laborit BP 587 - 370 avenue Jacques Coeur 86021 Poitiers Cedex Tel : 05.49.44.57.19
smime.p7s
Description: S/MIME Cryptographic Signature
