With respect to your first question, our plan is to give the CAS server its own server certificate which it would use for the SSL transaction with the web services. I don't think that'll be an issue. Thanks for the input!
Mike On Sat, Mar 26, 2011 at 8:40 AM, Marvin Addison <[email protected]> wrote: >> 3. CAS calls our webservices, supplying the DN. > > Do you just send the certificate, or actually perform client SSL to > authenticate to the service? This is a vitally important distinction > since CAS will _never_ have the private key needed to negotiate the > handshake with a Web service that does client auth. > >> 1. write a class that implements IPersonAttributeDao and that calls >> our web services. > > Sounds right provided you don't need to do client auth with the Web service. > >> 2. set the X509CertificateCredentialsToDistinguishedNamePrincipalResolver >> bean to use our class that implements IPersonAttributeDao. >> 3. use the X509CertificateCredentialsToDistinguishedNamePrincipalResolver >> to extract the DN from the user cert. > > Sounds right. The only word of caution is that if you're using the > string representation of the DN as a key to perform a query for > attributes, you should ensure that the resolver above produces the DN > in the form you expect. It's not that Java isn't compliant with the > spec, but it's more like there are some fuzzy edge cases not described > well in rfc2253 where common toolsets like Java and OpenSSL disagree. > I don't want to raise a false alarm here; you'll probably be fine. > But if you do run into trouble with string formatting of DNs, > X509CertificateCredentialsToSubjectPrinciplalResolver provides a way > to have precise control over the resulting string format. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
