Marvin, Sorry I am still working on this. I did take a look at your examples, thanks. Still trying to piece things together.
You have created a edu.vt.middleware.cas.authentication.principal.PDCCredentialsToPrincipalResolver (extending edu.vt.middleware.cas.authentication.principal.AbstractCredentialsToPrincipalResolver) that basically extracts the the UID from the certificate through the resolvePrincipalId() method. Then you have an abstract class AbstractCredentialsToPrincipalResolver (implementing CredentialsToPrincipalResolver) that hosts the protected resolvePrincipalId() method. Can I assume that in your deployConfigContext.xml file you have the PDCCredentialsToPrincipalResolve declared in the credentialsToPrincipalResolvers property? I guess I am also missing the connection of how LDAP lookup comes into play. I see some code in the your custom AbstractCredentialsToPrincipalResolver class that seems to be involved but don't understand how it comes into play. Is there more set up in the deployerConfigContext.xml file that I am missing? Is there a way you can share your deployerConfigContext.xml file or a portion of it so I can see how you set up the configuration file? Thanks Schawn ________________________________ From: Marvin Addison <[email protected]> To: [email protected] Sent: Wednesday, September 26, 2012 12:58 PM Subject: Re: [cas-user] Using LDAP and X509 for authentication/authorization > We are not fronted with Apache. So Tomcat is both > the server and servlet container in our case. Tomcat has the same features, but the details depend upon the kind of connector (BIO/NIO vs APR). See http://tomcat.apache.org/tomcat-7.0-doc/config/http.html for more info. >I have the example set up and seems to > be accepting my X509 certificate and allowing me to login, but that is just > with the basic X509 authentication, I still need to validate that the user > is allowed into the site, via a LDAP lookup. We actually do something conceptually similar. You'll have to roll your own CToPResolver, but I can offer some inspiration in code we have used successfully for a similar purpose: https://svn.middleware.vt.edu/svn/middleware/cas/cas-server/tags/cas-server-3.4.12/vt-cas-server-ext/src/main/java/edu/vt/middleware/cas/authentication/principal/AbstractCredentialsToPrincipalResolver.java https://svn.middleware.vt.edu/svn/middleware/cas/cas-server/tags/cas-server-3.4.12/vt-cas-server-ext/src/main/java/edu/vt/middleware/cas/authentication/principal/PDCCredentialsToPrincipalResolver.java In our case the attribute on the DN is called UID and we use that to perform a directory lookup to resolve the principal. You should be able to adapt it to your use case fairly easily. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
