Scott Battaglia wrote: > Since you're using IBM's JVM, this may help: > http://www.ibm.com/developerworks/forums/dw_thread.jsp?message=13885924&cat=51&thread=141188&treeDisplayType=threadmode1&forum=541#13885924 > <http://www.ibm.com/developerworks/forums/dw_thread.jsp?message=13885924&cat=51&thread=141188&treeDisplayType=threadmode1&forum=541#13885924>
Sorry for my "RTFM-like" question. :-) I was pretty sure my searches were careful... I succeded in authenticate users with x509 certificates using org.jasig.cas.adaptors.x509.authentication.principal.X509CertificateCredentialsToIdentifierPrincipalResolver to get the principal ID from the certificate information. I use apache + mod_proxy_ajp to redirect requests to tomcat ajp connector on port 8009. If I present a certificate from another CA I will be correctly redirect to the standard username-password login. Now I'd like to solve three problems: 1) I am using v.3.0.6 and I'd like to verify that the ID is present in my LDAP server; but I do not understand how to include CredentialsToLDAPAttributePrincipalResolver.zip from http://www.ja-sig.org/issues/browse/CAS-373 in my server. 2) With X509CertificateCredentialsToIdentifierPrincipalResolver my application gets "$OU $CN" as principal ID; i.e. using esup-phpcas library I get "Centro di Calcolo Elettronico [EMAIL PROTECTED]" after a correct x509 authentication. I modify ./adaptors/x509/src/main/java/org/jasig/cas/adaptors/x509/authentication/principal/X509CertificateCredentialsToIdentifierPrincipalResolver.java to get only the mail ($CN). Is there any other way, configuring the bean in ../webapp/WEB-INF/deployerConfigContext.xml, to get the same result? Is it correct to use: <bean class="org.jasig.cas.adaptors.x509.authentication.principal.X509CertificateCredentialsToIdentifierPrincipalResolver"> <property name="identifier" value="$CN" /> </bean> I tried it and it works, but I was not be able to find a page describing how to use and to configure the different resolvers. 3) Is there a way to modify the configuration files to make the authentication a double login, i.e. the user must provide a valid x509 certificate and use the correct username-password set, where the username is the same CN from the certificate? Best regards Marco Panella -- Ing. Marco Panella - tecnico di elaborazione dati Settore Innovazione Tecnologie Informatiche, Universita' di Parma Via G.P. Usberti, 17/A, I-43100, Parma, Italy Phone:+39 - 0521 - 90 - 5470 Fax: +39 - 0521 - 90 - 5469 _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
