Bugzilla – Bug 4665
Identity authorization fails with emailAddress and E in DNs.
Last modified: 2006-09-27 14:54:45
You need to
before you can comment on or make changes to this bug.
One thing I do notice is that the environment variable CAS_SERVER_IDENTITY
needs to contain "E=" as opposed to "emailAddress=".
If it doesn't have this I get the following error when I try to perform cas
bin/cas-group-admin -m msg user create superUserGroup testUGp
2006-08-16 13:48:47,986 WARN authorization.BasicSubjectAuthorization
[main,authorize:122] Authorization failed: expected principals
2006-08-16 13:48:47,991 ERROR wssec.WSSecurityClientHandler
failed.; nested exception is:
javax.xml.rpc.soap.SOAPFaultException: Authorization failed.
Where is the E attribute specified? I don't find it in RFC 1779, RFC 2253, or
RFC 3280. In regard to the EmailAddress attribute, does the following quote
from RFC 3280 have any bearing on this issue?
Conforming implementations generating new certificates with
electronic mail addresses MUST use the rfc822Name in the subject
alternative name field (section 184.108.40.206) to describe such identities.
Simultaneous inclusion of the EmailAddress attribute in the subject
distinguished name to support legacy implementations is deprecated