Its certainly possible, but non-trivial. We have code to handle the retrieval of the certificate and create a Credentials object for it that you can later interrogate for information. We generally assume however, that, you're only asking for the certificate.
So you'd have to retrieve the certificate, store it in session/flow, and then ask for username/password. You'll send the combination of username/password/certificate as one Credential and then have a custom authentication handler which can check both of them. Then its up to you to figure out what to do if the username's don't match :-) -Scott -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia On Tue, Sep 23, 2008 at 12:53 PM, Matthew Jones < [EMAIL PROTECTED]> wrote: > Having got CAS to work with OpenLDAP as the authentication mechanism I now > have an additional requirement to use certificates as well - not instead of. > The current (non-CAS) system authenticates with a username & password and > then gets the browser to forward the E-mail address associated with the > certificate and then compares that with the public certificate for the user > which is also held in LDAP. Ideally, we would like a CAS system that > requires both the certificate and the username & password to be validated > altogether. Now, I know that the username is, in reality, redundant and that > is a rather strange authorisation scenario but it's what I have to live > with. > > I know that CAS supports certificate based authentication but I haven't > investigated this feature. My basic question is how easy / difficult would > it to be to configure a CAS system that used both certificate and > username/password based authentication? Has anyone tried anything remotely > similar to this? If someone could could give me even a rough idea by > tomorrow that would be great as that's when I need to answer some management > questions! There's now talk of moving to an ActiveDirectory back-end instead > of LDAP but I have assumed that that won't be a major issue. I'll be reading > some of the certificate stuff but certainly won't have enough time to get > one going before I am questioned. > > Thanks > > P.S. I am aiming to propose the use of CAS if at all possible. > > -- > Matthew Jones > Interactive Data Managed Solutions Ltd > > ----------------------------------------------------------------------------------- > Registered in England Company Number 3691868 > Registered Office: Suite 1101 Eagle Tower | Montpellier Drive | Cheltenham > | Gloucestershire | GL50 1TA > Tel: +44 (0)1242 694133 | Fax: +44 (0)1242 694109 > [EMAIL PROTECTED] > http://www.interactivedata-ms.com/694133 > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
