On Wed, Sep 24, 2008 at 5:45 AM, Matthew Jones < [EMAIL PROTECTED]> wrote:
> Thanks Scott. > > Its certainly possible, but non-trivial. We have code to handle the >> retrieval of the certificate and create a Credentials object for it that >> you >> can later interrogate for information. We generally assume however, that, >> you're only asking for the certificate. >> > > If that provides access to the contained E-mail address and/or principal > name then that should do. If I change the connector such that > clientAuth="true" so that a client certificate is required how do I get the > interactive logon to appear too? The documented Webflow implies that if the > client does supply a valid certificate then it is not re-directed to the > interactive form. The documentation merely details the flow process. If you want it to go somewhere (i.e. an action that captures the certificate and dumps it in the session, or to the form, just change where the flow sends you to after it success/fails on the X.509 stuff). In theory, that should work ;-) -Scott > > > So you'd have to retrieve the certificate, store it in session/flow, and >> then ask for username/password. You'll send the combination of >> username/password/certificate as one Credential and then have a custom >> authentication handler which can check both of them. >> >> Then its up to you to figure out what to do if the username's don't match >> :-) >> > > That easy, it's just a logon failure. Currently, I only have to do a yes or > no and not the report of bad attempts or security alerts. The non-trivial > above may put off the people here so I'm trying to find the simplest > approach I can that just does what it has to. > > What I'm thinking above is would it be possible to require a client > certificate to be presented in the SSL handshake and then still re-direct to > the logon form for username & password? Then, as part of some custom LDAP/AD > handler, do the directory bind for authentication and then compare the > client certificate's E-mail address / principal name? The directory > currently contains the user's public certificate so the certificate could be > compared it total if that were easier. > > Thanks > > -- > Matthew Jones > Interactive Data Managed Solutions Ltd > ----------------------------------------------------------------------- > Registered in England Company Number 3691868 > Registered Office: Fitzroy House, 13-17 Epworth Street, London, EC2A 4DL > > Tel: +44 (0)1242 694133 | Fax: +44 (0)1242 694109 > [EMAIL PROTECTED] > http://www.interactivedata-ms.com/694133 > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
