Re: [cas-user] CAS 3.4.8 - X509 Certificates CRL Checking

Thu, 16 Jun 2011 02:50:28 -0700 

Well, I've set up a local repository of CRLs I need, changed the x509CRLChecker 
bean as :
<bean id="x509CRLChecker" class="org.jasig.cas.adaptors.x509.authentication.handler.support.ResourceCRLRevocationChecker" p:refreshInterval="14400"> 
<constructor-arg>
<list>
<bean class="org.springframework.core.io.UrlResource">
<constructor-arg index="0" value="${x509.crl.base.url}/GIP-CPS%20CLASSE-0.crl" 
/>
</bean>
<bean class="org.springframework.core.io.UrlResource">
<constructor-arg index="0" value="${x509.crl.base.url}/GIP-CPS%20CLASSE-1.crl" 
/>
</bean>
<bean class="org.springframework.core.io.UrlResource">
<constructor-arg index="0" value="${x509.crl.base.url}/GIP-CPS%20CLASSE-2.crl" 
/>
</bean>
<bean class="org.springframework.core.io.UrlResource">
<constructor-arg index="0" value="${x509.crl.base.url}/GIP-CPS%20CLASSE-3.crl" 
/>
</bean>
<bean class="org.springframework.core.io.UrlResource">
<constructor-arg index="0" value="${x509.crl.base.url}/TEST%20CLASSE-0.crl" />
</bean>
<bean class="org.springframework.core.io.UrlResource">
<constructor-arg index="0" value="${x509.crl.base.url}/TEST%20CLASSE-1.crl" />
</bean>
<bean class="org.springframework.core.io.UrlResource">
<constructor-arg index="0" value="${x509.crl.base.url}/TEST%20CLASSE-2.crl" />
</bean>
<bean class="org.springframework.core.io.UrlResource">
<constructor-arg index="0" value="${x509.crl.base.url}/TEST%20CLASSE-3.crl" />
</bean>
</list>
</constructor-arg>

<property name="unavailableCRLPolicy">
<bean class="${x509.unavailable.crl.policy}" />
</property>

<property name="expiredCRLPolicy">
<!-- Allow expired CRL data up to 48h -->
<bean class="org.jasig.cas.adaptors.x509.authentication.handler.support.ThresholdExpiredCRLRevocationPolicy" 
                  p:threshold="${x509.expired.crl.policy.threshold}" />
</property>
</bean>
I've also deactivated proxy in JVM... and I get back functionalities like proxy and SSOut, great :-) 

I don't know if the bean definition is correct but it seems to work as expected 
:-).
But I'm wondering how the validity of the CRL is checked as nowhere I provide the authority which should sign the CRL ?? 

Rgds.

Le 10/06/2011 19:11, Marvin Addison a écrit :

But I have now another problem... HTTP CRL fetching is only possible if JVM
uses proxy....
It works... but single sign out is now broken : POST logout queries are sent
through my proxy instead of directly to the local web server !

Sounds like a difficult problem to solve.


I also read that a more flexible way is to use ProxySelector class but I
don't know how to add that to CAS...

I'm not familiar with that component.  I recall some other use cases
where it would be helpful for the HttpClient component of CAS to be
more configurable, and I'm wondering if it would be possible to allow
plugging in a ProxySelector to meet your needs.  SSL hostname
verification is the other configuration point I recall that had been
requested.  There may be others; speak up if you have one.

M




--
Philippe MARASSE

Service Informatique - Centre Hospitalier Henri Laborit
BP 587 - 370 avenue Jacques Coeur
86021 Poitiers Cedex
Tel : 05.49.44.57.19

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to