Does I need CAS ?
|
View:
New views
3 Messages
—
Rating Filter:
Alert me
|
 |
Does I need CAS ?
by Julien Garnier
::
Rate this Message:
Hi,
I've strarted to play with CAS a feew week ago, but I'm not able to do what I want. That's why I'm asking this question : Does I need CAS ? Wath I want to do : - automatic login if someone comes with a certificate of My own compagnie and his mail is in my ldap server. I've troubles to set up this authentication, cause I've some certificates errors that I can't solve. I've read many tutorials but any of them are realy clear for me on how to set up with my own certificate authority. - If no certificate, login against the ldap server. But after login, how can I know what can acces this user ? For example user1 has acces to webmail and wiki but user 2 has only acces to webmail ... If someone has good tutorials or sites to give to me ... Thanks for you help Juju _______________________________________________ Yale CAS mailing list cas@... http://tp.its.yale.edu/mailman/listinfo/cas |
|
|
Re: Does I need CAS ?
by Michael Ströder
::
Rate this Message:
|
|
|
Re: Does I need CAS ?
by Julien Garnier
::
Rate this Message:
Michael Ströder a écrit :
> Julien Garnier wrote: > >> Wath I want to do : >> - automatic login if someone comes with a certificate of My own >> compagnie and his mail is in my ldap server. I've troubles to set up >> this authentication, cause I've some certificates errors that I can't >> solve. >> > > Can you elaborate on the problems you have? > *exception* javax.servlet.ServletException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://sso.dr13.cnrs.fr/cas/serviceValidate] ticket=[ST-35-3T0ZQ2S1cFqWCPYkSagH-cas] service=[https%3A%2F%2Fsso.dr13.cnrs.fr%2Fservlets-examples%2Fservlet%2FHelloWorldExample] renew=false]]] edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:381) filters.ExampleFilter.doFilter(ExampleFilter.java:102) *cause mère* edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://sso.dr13.cnrs.fr/cas/serviceValidate] ticket=[ST-35-3T0ZQ2S1cFqWCPYkSagH-cas] service=[https%3A%2F%2Fsso.dr13.cnrs.fr%2Fservlets-examples%2Fservlet%2FHelloWorldExample] renew=false]]] edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52) edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455) edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378) filters.ExampleFilter.doFilter(ExampleFilter.java:102) *cause mère* javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150) com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:117) com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1650) com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:925) com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1428) com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:103) com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:591) com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:698) com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:624) com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:160) com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495) com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433) com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:877) com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1089) com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1116) com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1100) sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402) sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170) sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:934) sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234) edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84) edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212) edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50) edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455) edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378) filters.ExampleFilter.doFilter(ExampleFilter.java:102) If auth=want, works perfectly ... > >> I've read many tutorials but any of them are realy clear for me >> on how to set up with my own certificate authority. >> > > First you have to import your CA cert as trusted in the Java key store. > Whether it works also depends on whether your CA was correctly set up > (e.g. regarding certificate profile: naming, X.509v3 extensions). YOu > have to be familiar with SSL/TLS client authentication. > My server.xml : <Connector address="sso.dr13.cnrs.fr" port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" keystoreFile="/etc/tomcat/sso.dr13.cnrs.fr.jks" keystorePass="password" truststoreFile="/etc/tomcat/truststore.jks" truststorePass="password" /> If I read the truststore and key store: (sso.dr13.cnrs.fr is the cas server) keytool -list -v -keystore /etc/tomcat/sso.dr13.cnrs.fr .jks Tapez le mot de passe du Keystore : password Type Keystore : jks Fournisseur Keystore : SUN Votre Keystore contient 1 entrée(s) Nom d'alias : sso.dr13.cnrs.fr Date de création : 16 avr. 2008 Type d'entrée : keyEntry Longueur de chaîne du certificat : 3 Certificat[1]: Propriétaire : EMAILADDRESS=ssi@..., CN=sso.dr13.cnrs.fr, OU=MOY1300, O=CNRS, C=FR Ãmetteur : CN=CNRS-Standard, O=CNRS, C=FR Numéro de série : 5cbe Valide du : Tue Jul 10 12:18:29 UTC 2007 au : Thu Jul 09 12:18:29 UTC 2009 Empreintes de certificat : MD5 : 67:1A:BE:9C:BF:BE:A1:33:3F:F6:F6:C4:24:32:19:A9 SHA1: 57:F8:BA:7E:9D:37:3B:77:DC:12:77:AF:1D:00:CE:67:C9:E8:EF:6F Certificat[2]: Propriétaire : CN=CNRS-Standard, O=CNRS, C=FR Ãmetteur : CN=CNRS, O=CNRS, C=FR Numéro de série : 2 Valide du : Fri Apr 27 05:46:49 UTC 2001 au : Mon Apr 25 05:46:49 UTC 2011 Empreintes de certificat : MD5 : CE:89:05:3D:B7:3D:8F:6E:5B:DF:58:16:3B:E0:88:CF SHA1: 41:F6:1C:59:C7:01:A9:10:F4:6E:7E:FA:9B:FD:15:BD:FB:B4:44:D5 Certificat[3]: Propriétaire : CN=CNRS, O=CNRS, C=FR Ãmetteur : CN=CNRS, O=CNRS, C=FR Numéro de série : 0 Valide du : Fri Apr 27 05:44:36 UTC 2001 au : Thu Apr 22 05:44:36 UTC 2021 Empreintes de certificat : MD5 : 92:1E:3C:80:4A:95:65:6C:9E:A2:F2:1E:12:BF:EF:6D SHA1: 22:61:81:6A:9D:F6:86:6E:76:CE:8A:AC:6E:6F:52:3D:8B:09:32:D1 ******************************************* ******************************************* keytool -list -v -keystore /etc/tomcat/keytool -list -v -keystore /etc/tomcat/truststore.jks Tapez le mot de passe du Keystore : password Type Keystore : jks Fournisseur Keystore : SUN Votre Keystore contient 4 entrée(s) Nom d'alias : cnrs-standard Date de création : 29 avr. 2008 Type d'entrée : trustedCertEntry Propriétaire : CN=CNRS-Standard, O=CNRS, C=FR Ãmetteur : CN=CNRS, O=CNRS, C=FR Numéro de série : 2 Valide du : Fri Apr 27 05:46:49 UTC 2001 au : Mon Apr 25 05:46:49 UTC 2011 Empreintes de certificat : MD5 : CE:89:05:3D:B7:3D:8F:6E:5B:DF:58:16:3B:E0:88:CF SHA1: 41:F6:1C:59:C7:01:A9:10:F4:6E:7E:FA:9B:FD:15:BD:FB:B4:44:D5 ******************************************* ******************************************* Nom d'alias : cnrs Date de création : 29 avr. 2008 Type d'entrée : trustedCertEntry Propriétaire : CN=CNRS, O=CNRS, C=FR Ãmetteur : CN=CNRS, O=CNRS, C=FR Numéro de série : 0 Valide du : Fri Apr 27 05:44:36 UTC 2001 au : Thu Apr 22 05:44:36 UTC 2021 Empreintes de certificat : MD5 : 92:1E:3C:80:4A:95:65:6C:9E:A2:F2:1E:12:BF:EF:6D SHA1: 22:61:81:6A:9D:F6:86:6E:76:CE:8A:AC:6E:6F:52:3D:8B:09:32:D1 ******************************************* ******************************************* Nom d'alias : cnrs-plus Date de création : 30 avr. 2008 Type d'entrée : trustedCertEntry Propriétaire : CN=CNRS-Plus, O=CNRS, C=FR Ãmetteur : CN=CNRS, O=CNRS, C=FR Numéro de série : 1 Valide du : Fri Apr 27 05:45:28 UTC 2001 au : Mon Apr 25 05:45:28 UTC 2011 Empreintes de certificat : MD5 : CB:12:3C:95:D1:3B:E4:C6:E0:23:AC:E8:F9:C2:79:88 SHA1: 60:FC:FB:84:D4:DD:58:5D:4E:42:B9:01:44:E8:2E:B2:C4:76:53:B8 ******************************************* ******************************************* Nom d'alias : sso Date de création : 30 avr. 2008 Type d'entrée : trustedCertEntry Propriétaire : EMAILADDRESS=ssi@..., CN=sso.dr13.cnrs.fr, OU=MOY1300, O=CNRS, C=FR Ãmetteur : CN=CNRS-Standard, O=CNRS, C=FR Numéro de série : 5cbe Valide du : Tue Jul 10 12:18:29 UTC 2007 au : Thu Jul 09 12:18:29 UTC 2009 Empreintes de certificat : MD5 : 67:1A:BE:9C:BF:BE:A1:33:3F:F6:F6:C4:24:32:19:A9 SHA1: 57:F8:BA:7E:9D:37:3B:77:DC:12:77:AF:1D:00:CE:67:C9:E8:EF:6F I think the problem is that I've two certificate authority : CNRS and CNRS-Standard > >> - If no certificate, login against the ldap server. >> > > That's possible. You have to tweak login-webflow.xml to achieve this. > I've read this, thanks > >> But after login, how can I know what can acces this user ? For example >> user1 has acces to webmail and wiki but user 2 has only acces to webmail >> ... >> > > You should probably use the Services Manager to implement such > application-level access control: > > http://www.ja-sig.org/wiki/display/CASUM/Services+Management > > Ciao, Michael. > Juju _______________________________________________ Yale CAS mailing list cas@... http://tp.its.yale.edu/mailman/listinfo/cas |
smime.p7s (5K) 
| Free Forum Powered by Nabble | Forum Help |