Hi, Marvin. Sorry to bothering You. Recently I explained what I want to implement. I have problem with custom credentials. I'll explain to You once more time my business logic. I was implemented some services for dynamic jnlp file with some parameters (there are JSESSIONID, action, loginTicket, execution and challenge - challenge contains some server data/description, timestamp(putted in session scope), sequence number(putted in session scope) and issuer(CAS) signature, so challenge was xml but converted to Base64 String), now on client side when user "download"(run) that generated jnlp, next what he need to do is to sign that challenge with his own certificate on smartcard and send POST request with needed parameters and also challenge(again as Base64) to CAS. Than on server side I meant to implement custom credentials but I'm not sure how, don't know much about CAS and how X509Credentials now operate. OK, I know I have source code of that, but still I have problem. If You can suggest me how to implement that. What I meant to do is when client send that POST request with credentials, some service on server will validate signature, extract certificate from signature, so than I have X509Certificate, check validity of certificate, get UID from cert and on LDAP search for user with that UID. There are some few steps after that(get cert from user on LDAP and compare certificates, remove timestamp and sequence number from session)...
I hope you will have patience with me :D On Tue, Feb 12, 2013 at 4:02 PM, Marvin Addison <[email protected]>wrote: > > I understand this, and know how certificate and CRL works. When I said > I'm > > using LDAP from where I want to get user certificate, I thought in way > that > > each user has own certificate witch is stored in people entry on LDAP, > but > > also that certificate is stored in trusted keystore file. > > That would fall under certificate verification. You would do it in > lieu of a CRL check, for example. Again, it has nothing to do with > proving whether the presenter of the certificate possesses the key; > that is a vital computation and one that MUST be done via client SSL > to ensure adequate security. > > > All I wanted is to > > get certificate from signature, than get uid from certificate, and with > that > > uid to find user on LDAP, get certificate from LDAP's user entry and > compare > > them, also I'll check is certificate trusted and revoked. > > You can do as you like, but anything other than client SSL is likely > to be more difficult to implement and harder to demonstrate it meets > security requirements. If, on the other hand, you follow the > recommendations of the wiki page I cited, you'll be on sound footing. > > > Is there any > > documentation and examples about using X.509 and CRL's, and what I need > to > > test it (hardware token - can I use some keystore file for it)? > > Please search the list archives for discussion of CRL support. I > described it recently and provided a fair bit of documentation > citations; searching the Google Groups mirror likely provides the best > search interface: > > https://groups.google.com/forum/?fromgroups#!forum/jasig-cas-user > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- *Pozdrav, Mihalj* -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
