Hi, I am very happy to have succesfully set up the x509 authentication for CAS (I'm using the Belgian e-id and that works great; Tomcat only setup). However I don't want all Belgian citizens to be able to login to our CAS (they all have a trusted certificate). And I don't want to list all our user DNs in the CAS configuration either ;). So I should check the certificate data against our user repository. I suppose it is best to write a new x509 authHandler that checks a certain part of the certificate against our user repository (LDAP). Any other ideas?
The next step for us will be to translate certificate data into our current userId (which is not in the certificate, but in our user repository). That's certainly needed since it is impossible to change for example all email accounts (for webmail using CAS). That way we can also use both client certificates (smartcards) and usernamePassword interchangeable. In a later phase we would start limiting certain users to only use the certificate when using CAS login (that's a feature we'll want to see in our LDAP or RADIUS authHandler but I think we can configure that in our LDAP backend too). In the CAS logic it feels best to do this translation in a "credentialsToPrincipalResolvers" implementation. However it feels as if both operations could be done more efficiently in one pass. Any ideas about that? Thank you very much! [of course, if my code works I'd happy to donate it to the CAS project so a lot of people can benefit from it] --Velpi _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
