Home Contact Download

asyd.net

Welcome to Bruno Bonfils's (aka asyd homepage).

CAS: X509 Authentication

Note: this documentation was written for CAS version 3.1rc2, it's not valid for version 3.0

deployerConfigContext.xml

To use X509 authentication in CAS, you need to define (at least) two beans in the deployerConfigContext.xml, one to enable the X509 authentication, and one which define the principal name from the credential (i.e. the certificate). There are so many way to map the principal name from the certificate, including :

  • use the certificate's serialNumber, directly, or to query a LDAP server to fetch the realname
  • use the full certificate's DN
  • use a part of the certificate's DN (that may be required some hacks)

Anyway, it's seem very simple to create your own mapping, just taking a look in x509 source directories.

authenticationHandler

Add this bean to enable x509 authentication:

            <bean
                  class="org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler">
                  <property name="trustedIssuerDnPattern" value=".*" />
                  <!--
                  <property name="maxPathLength" value="3" />

                  <property name="checkKeyUsage" value="5" />
                  <property name="requireKeyUsage" value="5" />
                  -->
             </bean>

As you can see, there are some properties :

  • trustedIssuerDnPattern: a regexp to match the user certificate's issuer DN
  • maxPathLength: the maximal length of the certificate chain
  • checkKeyUsage: a boolean to check keyUsage (look for digitalSignature keyUsage)
  • requireKeyUsage: a boolean to enable keyUsage requirement

I must confess I'm not sure to understand differences beetween checkKeyUsage and requireKeyUsage..

credentialsToPrincipalResolvers

In this example, I use the UID attribute from the certificate as principal name :

 <bean class="org.jasig.cas.adaptors.x509.authentication.principal.X509CertificateCredentialsToIdentifierPrincipalResolver">
   <property name="identifier" value="$UID" />
 </bean>

Others configuration files

As the CAS's documentation say, you also need to edit some others configuration files, the doc I used was not adapt for CAS version 3.1, especially for the cas-servlet.xml file.

cas-servlet.xml

Add the following code :

   <bean id="x509Check" class="org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction"
      p:centralAuthenticationService-ref="centralAuthenticationService"
   />