Velpi, You may set up a filter for the subject-DN part of your certificates. For example you can filter on a specific OU: Look for the "authenticationHandlers" - "X509CredentialsAuthenticationHandler" section in deployerConfigContext.xml. There you have to add a new property: <property name="subjectDnPattern" value="[regular expression of subject DNs to allow]" />
As you mentioned below, your second step requires a new credentialsToPrincipalResolvers implementation, which resolves the data from the certificate and execute a LDAP-lookup to get additional attributes. I think it's better and cleaner to separate the process of authentication/authorization from the gathering of user information. Regards Ronny __________________________________________ On 16 Jun 2006, "Velpi" wrote: Hi, I am very happy to have succesfully set up the x509 authentication for CAS (I'm using the Belgian e-id and that works great; Tomcat only setup). However I don't want all Belgian citizens to be able to login to our CAS (they all have a trusted certificate). And I don't want to list all our user DNs in the CAS configuration either ;). So I should check the certificate data against our user repository. I suppose it is best to write a new x509 authHandler that checks a certain part of the certificate against our user repository (LDAP). Any other ideas? The next step for us will be to translate certificate data into our current userId (which is not in the certificate, but in our user repository). That's certainly needed since it is impossible to change for example all email accounts (for webmail using CAS). That way we can also use both client certificates (smartcards) and usernamePassword interchangeable. In a later phase we would start limiting certain users to only use the certificate when using CAS login (that's a feature we'll want to see in our LDAP or RADIUS authHandler but I think we can configure that in our LDAP backend too). In the CAS logic it feels best to do this translation in a "credentialsToPrincipalResolvers" implementation. However it feels as if both operations could be done more efficiently in one pass. Any ideas about that? Thank you very much! [of course, if my code works I'd happy to donate it to the CAS project so a lot of people can benefit from it] --Velpi _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
