Thanks Scott.
Its certainly possible, but non-trivial. We have code to handle the retrieval of the certificate and create a Credentials object for it that you can later interrogate for information. We generally assume however, that, you're only asking for the certificate.
If that provides access to the contained E-mail address and/or principal name then that should do. If I change the connector such that clientAuth="true" so that a client certificate is required how do I get the interactive logon to appear too? The documented Webflow implies that if the client does supply a valid certificate then it is not re-directed to the interactive form.
So you'd have to retrieve the certificate, store it in session/flow, and then ask for username/password. You'll send the combination of username/password/certificate as one Credential and then have a custom authentication handler which can check both of them. Then its up to you to figure out what to do if the username's don't match :-)
That easy, it's just a logon failure. Currently, I only have to do a yes or no and not the report of bad attempts or security alerts. The non-trivial above may put off the people here so I'm trying to find the simplest approach I can that just does what it has to.
What I'm thinking above is would it be possible to require a client certificate to be presented in the SSL handshake and then still re-direct to the logon form for username & password? Then, as part of some custom LDAP/AD handler, do the directory bind for authentication and then compare the client certificate's E-mail address / principal name? The directory currently contains the user's public certificate so the certificate could be compared it total if that were easier.
Thanks -- Matthew Jones Interactive Data Managed Solutions Ltd ----------------------------------------------------------------------- Registered in England Company Number 3691868 Registered Office: Fitzroy House, 13-17 Epworth Street, London, EC2A 4DL Tel: +44 (0)1242 694133 | Fax: +44 (0)1242 694109 [EMAIL PROTECTED] http://www.interactivedata-ms.com/694133
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
