Enabling x509, Kerberos, and LDAP in a chain...

[Jathan Manley]

I would like to have a chain of three possible authentications x509, Kerberos, and LDAP.  I've been able to effectively setup x509 falling back to LDAP, and Kerberos falling back to LDAP, but what I would like is to check for a valid cert, if that fails, do a kerberos exchange, and if that fails fall back to username/password backed in LDAP.

The problem seems to be that each of the modules (x509 and kerberos) construct the webflow assuming they are the only one doing so (as in X509WebflowConfigurer.java). Looking at the documentation on custom webflow documentation at https://apereo.github.io/cas/5.3.x/installation/Webflow-Customization.html seems to suggest that this is a bad idea since you have to create the complete webflow in your customization.

Is there some type of pattern where these webflow modifications can be chained easily?  Again, any pointers would be helpful.  If there is not easy way, is there at least a way I can see the complete webflow after it has been constructed so I have a template of what I should be working with?

-Jathan