> 3. CAS calls our webservices, supplying the DN. Do you just send the certificate, or actually perform client SSL to authenticate to the service? This is a vitally important distinction since CAS will _never_ have the private key needed to negotiate the handshake with a Web service that does client auth.
> 1. write a class that implements IPersonAttributeDao and that calls > our web services. Sounds right provided you don't need to do client auth with the Web service. > 2. set the X509CertificateCredentialsToDistinguishedNamePrincipalResolver > bean to use our class that implements IPersonAttributeDao. > 3. use the X509CertificateCredentialsToDistinguishedNamePrincipalResolver > to extract the DN from the user cert. Sounds right. The only word of caution is that if you're using the string representation of the DN as a key to perform a query for attributes, you should ensure that the resolver above produces the DN in the form you expect. It's not that Java isn't compliant with the spec, but it's more like there are some fuzzy edge cases not described well in rfc2253 where common toolsets like Java and OpenSSL disagree. I don't want to raise a false alarm here; you'll probably be fine. But if you do run into trouble with string formatting of DNs, X509CertificateCredentialsToSubjectPrinciplalResolver provides a way to have precise control over the resulting string format. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
