Hi, I'm developing a WebService and I need to grant access to the service only to authorized systems possessing a valid x509 certificate. The remote system then should work impersonating a valid user so that it accesses all the resources the user has granting on. In practice the remote systems acts in front another user and I need to authenticate both the remote system (through SSL) and the real user (through Basic authentication). At the WebService endpoint I want a valid Authentication object that contains informations about both principals.
I'm trying to do that using Acegi, possibly reusing existing components (like existing filters, tokens and providers for x509 and usernamepassword mechanisms). My idea is to create a custom filter that uses X509ProcessingFilter and BasicProcessingFilter, authenticate the single tokens (certificate and user) and collect that information to create a custom Authentication object with all informations I need. The resulting token would have a special granted authority like ROLE_REMOTE_SYSTEM_USER that I can use to secure my WebService endpoint. I'm not sure anyway how to implement an Authentication object that resembles the other ones, without having to write a custom AuthenticationManager to process that implementation (it is that possible??). Is this approch correct? Could someone give me some tip to satisfy my requirements? Thanks in advance. Bye, Davide Romanini ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
