This is awkward .. but with these two properties it works..
<property name="maxPathLength" value="3" />
<property name="maxPathLengthAllowUnspecified" value="true" />
Francisco Estanqueiro wrote:
Oh okay.. they are both sending the same the certificate but firefox
doenst have the root. Well, I'll put two x509 authenticators to fix this
then..
But, the problem in IE persists since the pattern match is true and the
authentication fails..
<bean
class="org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler">
<property name="trustedIssuerDnPattern" value="CN=GTE CyberTrust
Global Root.+"/>
<property name="maxPathLengthAllowUnspecified" value="true" />
</bean>
log:
2010-03-01 23:54:17,315 DEBUG
[org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler]
- <--examining cert[120005025] CN=ECRaizEstado, O=SCEE, C=PT" from
issuer "CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions,
Inc.", O=GTE Corporation, C=US">
2010-03-01 23:54:17,315 DEBUG
[org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler]
- <certificate is valid>
2010-03-01 23:54:17,315 DEBUG
[org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler]
- <Pattern Match: true [CN=GTE CyberTrust Global Root, OU="GTE
CyberTrust Solutions, Inc.", O=GTE Corporation, C=US] against [CN=GTE
CyberTrust Global Root.+].>
2010-03-01 23:54:17,315 DEBUG
[org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler]
- <certificate was issued by trusted issuer>
2010-03-01 23:54:17,315 DEBUG
[org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler]
- <this is a CA certificate>
2010-03-01 23:54:17,315 WARN
[org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler]
- <authentication failed; cert pathLength [3] is more than allowed by
config [1]>
2010-03-01 23:54:17,316 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler
failed to authenticate the user which provided the following
credentials:
org.jasig.cas.adaptors.x509.authentication.principal.x509certificatecredenti...@b38dba>
Marvin Addison wrote:
If the log excerpts you have provided are complete, the certificate
chain presented to the server in both cases is different.
2010-03-01 19:56:39,120 DEBUG
[org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler]
- <--examining cert[120005025] CN=ECRaizEstado, O=SCEE, C=PT" from
issuer "CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions,
Inc.", O=GTE Corporation, C=US">
2010-03-01 19:56:39,121 DEBUG
The above certificate, which appears to be the one that's causing
problems, is only presented to the server by IE, which explains why
authentication succeeds in Firefox. The certificate above appears to
be at the root of your trust chain, and I'd imagine it's missing in
Firefox. You could confirm that by exporting the cert to a PKCS12
file and examining its contents with openssl:
openssl pkcs12 -in exported-file.p12 -info
M
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
