======CAS: X509 Authentication======

**Note: this documentation was written for CAS version 3.1rc2, it's not valid for version 3.0**

=====deployerConfigContext.xml=====

To use X509 authentication in CAS, you need to define (at least) two beans in the deployerConfigContext.xml, one
to enable the X509 authentication, and one which define the principal name from the credential (i.e. the certificate).
There are so many way to map the principal name from the certificate, including :

   * use the certificate's serialNumber, directly, or to query a LDAP server to fetch the realname 
   * use the full certificate's DN
   * use a part of the certificate's DN (that may be required some hacks)

Anyway, it's //seem// very simple to create your own mapping, just taking a look in x509 source directories.

====authenticationHandler====

Add this bean to enable x509 authentication:

<code xml>
            <bean
                  class="org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler">
                  <property name="trustedIssuerDnPattern" value=".*" />
                  <!--
                  <property name="maxPathLength" value="3" />
                  <property name="checkKeyUsage" value="5" />
                  <property name="requireKeyUsage" value="5" />
                  -->
             </bean>
</code>

As you can see, there are some properties :

   * trustedIssuerDnPattern: a regexp to match the user certificate's issuer DN
   * maxPathLength: the maximal length of the certificate chain
   * checkKeyUsage: a boolean to check keyUsage (look for digitalSignature keyUsage)
   * requireKeyUsage: a boolean to enable keyUsage requirement

I must confess I'm not sure to understand differences beetween checkKeyUsage and requireKeyUsage..




====credentialsToPrincipalResolvers====

In this example, I use the UID attribute from the certificate as principal name :

<code xml>
 <bean class="org.jasig.cas.adaptors.x509.authentication.principal.X509CertificateCredentialsToIdentifierPrincipalResolver">
   <property name="identifier" value="$UID" />
 </bean>
</code>

=====Others configuration files=====

As the CAS's documentation say, you also need to edit some others configuration files, the doc I used was not adapt
for CAS version 3.1, especially for the //cas-servlet.xml// file.

====cas-servlet.xml====

Add the following code :

<code xml>
   <bean id="x509Check" class="org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction"
      p:centralAuthenticationService-ref="centralAuthenticationService"
   />
</code>