Apr 5th, 2006, 01:54 PM
Switching between certificate and form based authentications per request basis
We are using CAS and Acegi for our security requirements for some period. Currently we need to switch between certificate and form based authentication methods while using CAS in the same web application. Some of our users want to login to the system using their certificates, and some others will use their username ad passwords. First group will be made access to CAS login url using https://ssoserver:9444/cas/login, which requires SSL with client authentication, and the second group will be made access through https://ssoserver:9443/cas/login, which has standard SSL configuration. We solved this requirement allowing all users accessing first to the system using https://appserver:9443/secure.jsp, while providing a request parameter (authType=cert|form) to decide on which auth. method will be used on CAS side. Later, we decide which loginUrl will be used based on this request paremeter's value. In other words, we change CasProcessingFilterEntryPoint bean's loginUrl property based on each request. Currently, we extend CasProcessingFilterEntryPoint class, but rewrote its commence method, as it uses loginUrl property directly. We suggest a facility to change loginUrl of CasProcessingFilterEntryPoint during runtime based on current request's content. For example, you might provide a protected getLoginUrl(ServletRequest request) method, which by default returns value of loginUrl property.
Apr 5th, 2006, 10:58 PM
you can set up tomcat such that if a certificate exists it will use it, otherwise it would fall back to the login for form CAS.
We have instructions on that here:
Not sure if this will help in your situation.