> We are in the process of supporting X509 certificates for authentication of > users. It is one thing to accept / authorize via the X509 certificate, but > of course we need to go a step further and validate whether or not the owner > of the certificate is allowed access via an LDAP look up.
I'm familiar with a similar use case, but I think it's a workaround for shortcomings in standards (CRL, OCSP) and poor reference implementations. I do think both standards are workable, however, and the CRL checking implementation in CAS is production ready. I'm not sure how far you are into the PKI implementation underneath this project, but if you can issue all certs from a single trusted user CA, then you can do all the authorization checks on the server-side HTTP endpoint (e.g. SSLCACertificateFile and friends). > We are thinking > about using the EDIPI number on the end of a Common Name (e.g., CN = > firstname.lastname.<edipi number>. The smart cards that will be used > appends this unique number (EDIPI) on the end of the CN. I would expect this attribute to be in some field in the certificate, either a custom extension OID or as a distinct attribute in the subject DN. If yes, then I can recommend an implementation that avoids parsing the string representation of the subject DN, which can get tricky in edge cases. Best to avoid if possible. In either case it may be necessary to develop you own CredentialsToPrincipalResolver, but those components are fairly simple. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
