org.apereo.cas.adaptors.x509.authentication.handler.support

Class X509CredentialsAuthenticationHandler

java.lang.Object

org.apereo.cas.authentication.AbstractAuthenticationHandler

org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler

org.apereo.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler

All Implemented Interfaces:

org.apereo.cas.authentication.AuthenticationHandler

@RefreshScope
 @Component(value="x509CredentialsAuthenticationHandler")
public class X509CredentialsAuthenticationHandler
extends org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler

Authentication Handler that accepts X509 Certificates, determines their validity and ensures that they were issued by a trusted issuer. (targeted at X509v3) Optionally checks KeyUsage extension in the user certificate (container should do that too). Note that this handler trusts the servlet container to do some initial checks like path validation. Deployers can supply an optional pattern to match subject dns against to further restrict certificates in case they are not using their own issuer. It's also possible to specify a maximum pathLength for the SUPPLIED certificates. (note that this does not include a pathLength check for the root certificate) [PathLength is 0 for the CA certificate that issues the end-user certificate]

Since:

3.0.4

Field Summary

Fields inherited from class org.apereo.cas.authentication.AbstractAuthenticationHandler

principalFactory, servicesManager

Fields inherited from interface org.apereo.cas.authentication.AuthenticationHandler

SUCCESSFUL_AUTHENTICATION_HANDLERS

Constructor Summary

Constructors

Constructor and Description
X509CredentialsAuthenticationHandler()

Method Summary

Modifier and Type	Method and Description
protected org.apereo.cas.authentication.HandlerResult	doAuthentication(org.apereo.cas.authentication.Credential credential)
void	init() Init and ensure configuration is correct.
void	setCheckKeyUsage(boolean checkKeyUsage)
void	setMaxPathLength(int maxPathLength)
void	setMaxPathLengthAllowUnspecified(boolean allowed)
void	setRequireKeyUsage(boolean requireKeyUsage)
void	setRevocationChecker(RevocationChecker checker) Sets the component responsible for evaluating certificate revocation status for client certificates presented to handler.
void	setSubjectDnPattern(java.lang.String subjectDnPattern)
void	setTrustedIssuerDnPattern(java.lang.String trustedIssuerDnPattern)
boolean	supports(org.apereo.cas.authentication.Credential credential)

Methods inherited from class org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler

authenticate, createHandlerResult, postAuthenticate, preAuthenticate

Methods inherited from class org.apereo.cas.authentication.AbstractAuthenticationHandler

getName, setName, setPrincipalFactory

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

X509CredentialsAuthenticationHandler

public X509CredentialsAuthenticationHandler()

Method Detail

supports

public boolean supports(org.apereo.cas.authentication.Credential credential)

init

@PostConstruct
public void init()

Init and ensure configuration is correct.

doAuthentication

protected org.apereo.cas.authentication.HandlerResult doAuthentication(org.apereo.cas.authentication.Credential credential)
                                                                throws java.security.GeneralSecurityException,
                                                                       org.apereo.cas.authentication.PreventedException

Specified by:

doAuthentication in class org.apereo.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler

Throws:

java.security.GeneralSecurityException

org.apereo.cas.authentication.PreventedException

setTrustedIssuerDnPattern

@Autowired
public void setTrustedIssuerDnPattern(@Value(value="${cas.x509.authn.trusted.issuer.dnpattern:}")
                                                  java.lang.String trustedIssuerDnPattern)

setMaxPathLength

@Autowired
public void setMaxPathLength(@Value(value="${cas.x509.authn.max.path.length:1}")
                                         int maxPathLength)

Parameters:

maxPathLength - The maxPathLength to set.

setMaxPathLengthAllowUnspecified

@Autowired
public void setMaxPathLengthAllowUnspecified(@Value(value="${cas.x509.authn.max.path.length.unspecified:false}")
                                                         boolean allowed)

Parameters:

allowed - Allow CA certs to have unlimited intermediate certs (default=false).

setCheckKeyUsage

@Autowired
public void setCheckKeyUsage(@Value(value="${cas.x509.authn.check.key.usage:false}")
                                         boolean checkKeyUsage)

Parameters:

checkKeyUsage - The checkKeyUsage to set.

setRequireKeyUsage

@Autowired
public void setRequireKeyUsage(@Value(value="${cas.x509.authn.require.key.usage:false}")
                                           boolean requireKeyUsage)

Parameters:

requireKeyUsage - The requireKeyUsage to set.

setSubjectDnPattern

@Autowired
public void setSubjectDnPattern(@Value(value="${cas.x509.authn.subject.dnpattern:.*}")
                                            java.lang.String subjectDnPattern)

setRevocationChecker

@Autowired(required=false)
public void setRevocationChecker(@Qualifier(value="x509RevocationChecker")
                                                             RevocationChecker checker)

Sets the component responsible for evaluating certificate revocation status for client certificates presented to handler. The default checker is a NO-OP implementation for backward compatibility with previous versions that do not perform revocation checking.

Parameters:

checker - Revocation checker component.