Le 07/09/2012 11:17, Marco Panella a écrit :
On 09/06/2012 11:18 AM, Philippe MARASSE wrote:
Hello,
We're using CAS 3.5.0 with X509 + SPNEGO + Login/Password (LDAP/LPPE)
authentication schemes. Since SSL negotiation happens at transport
layer, it should be done before all other mechanisms. In my
login-webflow.xml, I've modified some transitions to wire startX509
instead of generateLoginTicket :
<!-- else modified for X509 -->
<decision-state id="gatewayRequestCheck">
<if test="requestParameters.gateway != '' and requestParameters.gateway
!= null and flowScope.service != null"
then="gatewayServicesManagementCheck"
else="startX509" />
</decision-state>
...
<!-- then modified for X509 -->
<decision-state id="renewRequestCheck">
<if test="requestParameters.renew != '' and requestParameters.renew !=
null"
then="startX509"
else="generateServiceTicket" />
</decision-state>
And added the X509 authentication state, on authentication error, it
continues to generateLoginTicket :
<action-state id="startX509">
<evaluate expression="x509Check" />
<transition on="success" to="sendTicketGrantingTicket" />
<transition on="warn" to="warn" />
<transition on="error" to="generateLoginTicket" />
</action-state>
So it should be sufficient to change all generateLoginTicket to
startAuthenticate (renamed startX509 in our case because we also have
SPNEGO non interactive authentication).
Thank you very much.
I did that, and it works.
Using a second virtual host for x509 authentication on a second port
is working.
Now, I'd like to ask if is there a way to use a <Location> directive;
this will avoid problems with users behind a firewall that blocks
outgoing traffic.
Something like this:
-----
<Virtualhost cas.unipr.it:443>
[snip]
<Location /x509>
SSLOptions +StdEnvVars +ExportCertData
SSLVerifyClient require
SSLCACertificatePath /etc/pki/tls/CAs/
ProxyPass ajp://cas2.unipr.it:8009/
</Location>
SSLCARevocationPath /etc/pki/tls/CRLs/
ProxyPass / ajp://cas2.unipr.it:8009/
</VirtualHost>
-----
I tried that configuration but I get this error:
2012-09-06 13:26:50,792 DEBUG
[org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction]
- <Certificates not found in request.>
I suspect that's impossible for the fact that Location is a HTTP
feature, but I'd like to hear your (or other's) opinion.
Not impossible indeed. Unfortunately, we use mod_jk instead with this
configuration :
<IfModule mod_jk.c>
JkOptions +ForwardKeySize +ForwardSSLCertChain
JkMount /cas balancer
JkMount /cas/* balancer
</IfModule>
I had to specify some options to get the SSL certificate (and full
certification chain). By the way, it seems that on you SSL site, client
certificate is required (/x509) and not. Consider using another SSL
option :
SSLOptions +OptRenegotiate
in the base of your virtualhost.
Regards.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
