具有数据库属性的 CAS X.509 身份验证
CAS X.509 auth with attributes from database
我想配置 Apereo CAS 6.0.x 以执行 X.509 身份验证,然后从数据库 table 检索主体属性。
基本的 X.509 身份验证在 application.properties 中使用这些行(以及适当的反向代理设置):
cas.authn.x509.extractCert=true
cas.authn.x509.sslHeaderName=SSL_CLIENT_CERT
cas.authn.x509.principalDescriptor=SUBJECT_DN
默认 "Log In Successful" 页面显示它知道如何获取我的证书的主题 DN。
但我不知道如何告诉 CAS 然后使用该主题 DN 值来查询我的数据库以获取其他属性。
This page 明确提到了我的需求(虽然使用 LDAP 而不是 JDBC),但没有具体说明如何实现它:
In many cases it is necessary to perform authentication by one means and resolve principals by another. The PrincipalResolver component provides this functionality. A common use case for this this mix-and-match strategy arises with X.509 authentication. It is common to store certificates in an LDAP directory and query the directory to resolve the principal ID and attributes from directory attributes. The X509CertificateAuthenticationHandler may be be combined with an LDAP-based principal resolver to accommodate this case.
需要设置哪些属性才能使 X509 身份验证处理程序根据数据库解析主体?
缺少的成分是 application.properties 中的这一行:
cas.authn.x509.principalType=SUBJECT_DN
没有它,CAS 不会尝试查询您可能拥有的任何 attributeRepository 设置。
我想配置 Apereo CAS 6.0.x 以执行 X.509 身份验证,然后从数据库 table 检索主体属性。
基本的 X.509 身份验证在 application.properties 中使用这些行(以及适当的反向代理设置):
cas.authn.x509.extractCert=true
cas.authn.x509.sslHeaderName=SSL_CLIENT_CERT
cas.authn.x509.principalDescriptor=SUBJECT_DN
默认 "Log In Successful" 页面显示它知道如何获取我的证书的主题 DN。
但我不知道如何告诉 CAS 然后使用该主题 DN 值来查询我的数据库以获取其他属性。
This page 明确提到了我的需求(虽然使用 LDAP 而不是 JDBC),但没有具体说明如何实现它:
In many cases it is necessary to perform authentication by one means and resolve principals by another. The PrincipalResolver component provides this functionality. A common use case for this this mix-and-match strategy arises with X.509 authentication. It is common to store certificates in an LDAP directory and query the directory to resolve the principal ID and attributes from directory attributes. The X509CertificateAuthenticationHandler may be be combined with an LDAP-based principal resolver to accommodate this case.
需要设置哪些属性才能使 X509 身份验证处理程序根据数据库解析主体?
缺少的成分是 application.properties 中的这一行:
cas.authn.x509.principalType=SUBJECT_DN
没有它,CAS 不会尝试查询您可能拥有的任何 attributeRepository 设置。