Re: [cas-user] X.509 and CAS 3.5.0

Thu, 06 Sep 2012 02:19:14 -0700 

Hello,
We're using CAS 3.5.0 with X509 + SPNEGO + Login/Password (LDAP/LPPE) authentication schemes. Since SSL negotiation happens at transport layer, it should be done before all other mechanisms. In my login-webflow.xml, I've modified some transitions to wire startX509 instead of generateLoginTicket : 

    <!-- else modified for X509 -->
    <decision-state id="gatewayRequestCheck">

        <if test="requestParameters.gateway != '' and requestParameters.gateway != null 
and flowScope.service != null"

            then="gatewayServicesManagementCheck"
            else="startX509" />
    </decision-state>
...
    <!-- then modified for X509 -->
    <decision-state id="renewRequestCheck">
        <if test="requestParameters.renew != '' and requestParameters.renew != 
null"
            then="startX509"
            else="generateServiceTicket" />
    </decision-state>


And added the X509 authentication state, on authentication error, it continues to 
generateLoginTicket :


    <action-state id="startX509">
        <evaluate expression="x509Check" />
        <transition on="success" to="sendTicketGrantingTicket" />
        <transition on="warn" to="warn" />
        <transition on="error" to="generateLoginTicket" />
    </action-state>


So it should be sufficient to change all generateLoginTicket to startAuthenticate (renamed 
startX509 in our case because we also have SPNEGO non interactive authentication).


Regards.

Le 06/09/2012 10:10, Marco Panella a écrit :

I'm trying to setup CAS 3.5.0 with either LDAP and X.509 authentication.
I built CAS with LDAP with success and authentication happens regularly.

Now, I need help in setting up the X.509 part.

Adding dependency in pom.xml seems straightforward, but I don't understand how to change 
login-webflow.xml.


I uncommented the fragment about x509Check and changed
                <action bean="x509Check" />
into
                <evaluate expression="x509Check" />

Wiki says to change the then end the else part of two tests.
https://wiki.jasig.org/display/CASUM/X.509+Certificates


I am unsure how to apply these changes to login-webflow.xml of CAS 3.5.0; LPPE tests (I 
will need them) make it quite awkward.



Does it suffice to change the string "generateLoginTicket" to 
"startAuthenticate"?


Thanks in advance.

Best regards
Marco Panella




--
Philippe MARASSE

Service Informatique - Centre Hospitalier Henri Laborit
BP 587 - 370 avenue Jacques Coeur
86021 Poitiers Cedex
Tel : 05.49.44.57.19





Attachment:
smime.p7s

Description: Signature cryptographique S/MIME






















					Reply via email to