Hi everyone,
just finished our 3.5.2 > 4.0.1 upgrade.
X509 + LDAP + Custom ldapPersonAttributeDao was a little tricky so I'll
share my solution
*1) Add the cas-server-support-x509 to pom.xml*
<dependency>
> <groupId>org.jasig.cas</groupId>
> <artifactId>cas-server-support-x509</artifactId>
> <version>${cas.version}</version>
> </dependency>
>
*2) Add the action to login-webflow.xml *
<action-state id="startAuthenticate">
<evaluate expression="x509Check" />
<transition on="success" to="sendTicketGrantingTicket" />
<transition on="warn" to="warn" />
<transition on="error" to="generateLoginTicket" /></action-state>
>
*3) Find/Replace **generateLoginTicket string with *
*startAuthenticate**4) Create the bean x509Check in cas-servlet.xml*
<bean id="x509Check"
class="org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction"
p:centralAuthenticationService-ref="centralAuthenticationService" />
*5) Add the new authentication to deployersConfigContext.xml*
<bean id="crlResource"
class="org.springframework.core.io.UrlResource"
c:path="http://link.to.file.crl"; />
<bean id="allowPolicy"
class="org.jasig.cas.adaptors.x509.authentication.handler.support.AllowRevocationPolicy"
/>
<bean id="denyPolicy"
class="org.jasig.cas.adaptors.x509.authentication.handler.support.DenyRevocationPolicy"
/>
<bean id="thresholdPolicy"
class="org.jasig.cas.adaptors.x509.authentication.handler.support.ThresholdExpiredCRLRevocationPolicy"
p:threshold="3600" />
<bean id="revocationChecker"
class="org.jasig.cas.adaptors.x509.authentication.handler.support.ResourceCRLRevocationChecker"
c:crl-ref="crlResource"
p:refreshInterval="600"
p:unavailableCRLPolicy-ref="allowPolicy" />
<bean id="x509Handler"
class="org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler"
p:trustedIssuerDnPattern="CN=********"
p:maxPathLength="2147483647" p:maxPathLengthAllowUnspecified="true"
p:checkKeyUsage="true"
p:requireKeyUsage="true"
p:revocationChecker-ref="revocationChecker" />
*6) Add the new authentication to deployersConfigContext.xml*
<bean id="authenticationManager"
class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
<constructor-arg>
<map>
....
<entry key-ref="x509Handler" value-ref="chainResolver"/>
</map> </constructor-arg>
<property name="authenticationMetaDataPopulators"> <list> <bean class=
"org.jasig.cas.authentication.SuccessfulHandlerMetaDataPopulator" /> </list>
</property>
*7) Add the chainResolver bean and the x509 client atribute you want (in this
case: **SERIALNUMBER)*
<bean id="chainResolver"
class="org.jasig.cas.authentication.principal.ChainingPrincipalResolver" >
<property name="chain">
<list>
<bean id="x509PrincipalResolver"
class="org.jasig.cas.adaptors.x509.authentication.principal.X509SubjectPrincipalResolver"
p:descriptor="$SERIALNUMBER" />
<bean id="ldapPrincipalResolver"
class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver"
p:principalAttributeName="mail">
<property
name="attributeRepository" ref="ldapPersonAttributeDao" />
</bean>
</list>
</property>
</bean>
*8) Now you need to create the ldapPersonAttributeDao bean (in this case I want
to compare the SERIALNUMBER with the employeeID attribute in LDAP*)
<bean
class="org.springframework.context.annotation.CommonAnnotationBeanPostProcessor"
/>
<bean id="ldapPersonAttributeDao"
class="org.jasig.cas.persondir.LdapPersonAttributeDao"
p:baseDN="DC=domain,DC=local" p:searchFilter="employeeID={0}"
p:searchControls-ref="searchControls"
p:connectionFactory-ref="searchPooledLdapConnectionFactory"
p:resultAttributeMapping-ref="resultAttributeMap" />
<util:map id="resultAttributeMap">
<entry key="mail" value="uid" />
<entry key="principalAttributeName" value="mail" />
</util:map>
<bean id="searchControls"
class="javax.naming.directory.SearchControls" p:searchScope="2"
p:countLimit="10" p:timeLimit="3600" />
<bean id="searchPooledLdapConnectionFactory"
class="org.ldaptive.pool.PooledConnectionFactory"
p:connectionPool-ref="searchConnectionPool" />
<bean id="abstractConnectionPool" abstract="true"
class="org.ldaptive.pool.BlockingConnectionPool"
init-method="initialize" p:poolConfig-ref="ldapPoolConfig"
p:blockWaitTime="3600" p:validator-ref="searchValidator"
p:pruneStrategy-ref="pruneStrategy" />
<bean id="searchConnectionPool" parent="abstractConnectionPool"
p:connectionFactory-ref="searchConnectionFactory" />
<bean id="searchConnectionFactory"
class="org.ldaptive.DefaultConnectionFactory"
p:connectionConfig-ref="searchConnectionConfig" />
<bean id="searchConnectionConfig" parent="abstractConnectionConfig"
p:connectionInitializer-ref="bindConnectionInitializer" />
<bean id="abstractConnectionConfig" abstract="true"
class="org.ldaptive.ConnectionConfig" p:ldapUrl="ldap://url.to.your.ldap";
p:connectTimeout="3600" p:useStartTLS="false"
p:sslConfig-ref="sslConfig" />
<bean id="bindConnectionInitializer"
class="org.ldaptive.BindConnectionInitializer"
p:bindDn="CN=***,CN=Users,DC=domain,DC=local">
<property name="bindCredential">
<bean class="org.ldaptive.Credential"
c:password="****" />
</property>
</bean>
*9) [OPTIONAL] If you want to pre-process the attributes from the X509
certificate you can rewrite the LdapPersonAttributeDao class:*
9.1) add the maven compiler plugin to your *pom.xml*
<plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-compiler-plugin</artifactId>
> <version>3.2</version>
> </plugin>
>
9.2) Copy the original* LdapPersonAttributeDao.java *to
your-cas-maven-root/src/main/java/org/jasig/cas/persondir
9.3) Compile your new file with
*maven.*Hope this helps someone in the future.
Cheers,
Francisco E
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
