Velpi, Since you have your complete list of users in your user repository you could use the Authentication Handlers unmodified (just limiting using the subject DN) and then use the custom CredentialsToPrincipalsResolver to turn the credentials into a Principal (and returning null if none can be found).
The default AuthenticationManager is designed to throw an UnsupportedCredentialsException if the Principal cannot be created, which effectively stops the login process. -Scott Velpi wrote: > Hi, > > I am very happy to have succesfully set up the x509 authentication for CAS > (I'm > using the Belgian e-id and that works great; Tomcat only setup). > However I don't want all Belgian citizens to be able to login to our CAS > (they > all have a trusted certificate). And I don't want to list all our user DNs in > the CAS configuration either ;). So I should check the certificate data > against > our user repository. I suppose it is best to write a new x509 authHandler > that > checks a certain part of the certificate against our user repository (LDAP). > Any > other ideas? > > The next step for us will be to translate certificate data into our current > userId (which is not in the certificate, but in our user repository). That's > certainly needed since it is impossible to change for example all email > accounts > (for webmail using CAS). That way we can also use both client certificates > (smartcards) and usernamePassword interchangeable. In a later phase we would > start limiting certain users to only use the certificate when using CAS login > (that's a feature we'll want to see in our LDAP or RADIUS authHandler but I > think we can configure that in our LDAP backend too). In the CAS logic it > feels > best to do this translation in a "credentialsToPrincipalResolvers" > implementation. > > However it feels as if both operations could be done more efficiently in one > pass. Any ideas about that? > > > Thank you very much! > [of course, if my code works I'd happy to donate it to the CAS project so a > lot > of people can benefit from it] > > > --Velpi > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
