Note: this documentation was written for CAS version 3.1rc2, it's not valid for version 3.0
To use X509 authentication in CAS, you need to define (at least) two beans in the deployerConfigContext.xml, one to enable the X509 authentication, and one which define the principal name from the credential (i.e. the certificate). There are so many way to map the principal name from the certificate, including :
Anyway, it's seem very simple to create your own mapping, just taking a look in x509 source directories.
Add this bean to enable x509 authentication:
<bean class="org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler"> <property name="trustedIssuerDnPattern" value=".*" /> <!-- <property name="maxPathLength" value="3" /> <property name="checkKeyUsage" value="5" /> <property name="requireKeyUsage" value="5" /> --> </bean>
As you can see, there are some properties :
I must confess I'm not sure to understand differences beetween checkKeyUsage and requireKeyUsage..
In this example, I use the UID attribute from the certificate as principal name :
<bean class="org.jasig.cas.adaptors.x509.authentication.principal.X509CertificateCredentialsToIdentifierPrincipalResolver"> <property name="identifier" value="$UID" /> </bean>
As the CAS's documentation say, you also need to edit some others configuration files, the doc I used was not adapt for CAS version 3.1, especially for the cas-servlet.xml file.
Add the following code :
<bean id="x509Check" class="org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction"
p:centralAuthenticationService-ref="centralAuthenticationService"
/>