> I'll explain to You once more time my business logic. I was implemented some
> services for dynamic jnlp file with some parameters (there are JSESSIONID,
> action, loginTicket, execution and challenge - challenge contains some
> server data/description, timestamp(putted in session scope), sequence
> number(putted in session scope) and issuer(CAS) signature, so challenge was
> xml but converted to Base64 String), now on client side when user
> "download"(run) that generated jnlp, next what he need to do is to sign that
> challenge with his own certificate on smartcard and send POST request with
> needed parameters and also challenge(again as Base64) to CAS.
I must admit I'm a little puzzled by your use case and the obstacles
for which you've reached out for help. I would imagine generating the
signature and interacting with a browser or other user agent to send
both the signature and the cert are orders of magnitude harder than
figuring out how to make case validate it as an authentication
mechanism.
> Than on server
> side I meant to implement custom credentials but I'm not sure how, don't
> know much about CAS and how X509Credentials now operate.
Assuming base64 for both sig and cert you would have the following:
public class X509SignatureCredentials {
private String certificate;
private String signature;
public X509SignatureCredentials(final String certificate, final
String signature) {
this.certificate = certificate;
this.signature = signature;
}
public X509Certificate decodeCertificate() {
// TODO: decode base64-encoded cert
}
public Signature decodeSignature() {
// TODO: decode base64-encoded signature data
}
}
The signature data could just be the signed bytes and you would have
to assume the signature algorithm (e.g. RSA) and algorithm parameters;
otherwise you've have to devise an encoding mechanism for that data.
There is no existing standard for this afaik.
You will also have to tackle the problem of getting the data you POST
into your credentials object. Review the Spring Webflow for that.
I would rate this implementation as advanced; you'll need a
substantial knowledge of crypto and X.509 in addition to CAS to
succeed. Best of luck.
M
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
