Il giorno lun, 12/12/2005 alle 18.32 -0500, Ben Alex ha scritto: > If I understand correctly, you need to X509 authenticate an actual > remote system, but BASIC authenticate the actual user that is using the > remote system? > > In that case, you're best off to do it in as portable and reusable > fashion possible. That would mean: >
Thank you very much for your precious tips. I followed your suggestions and implemented in this way: first, I created my own X509ProcessingFilter that extracts and authenticates the certificate against the AuthenticationManager. It then looks in the context for an existing UsernamePasswordAuthenticationToken and stores into its details the X509AuthenticationToken it just authenticated (using a X509WebAuthenticationDetails). If the context is empty it simply stores the authenticated X509AuthenticationToken. In this way I can have a single filter chain applied to a general secure resource (say, /secure) and apply different policies to the single contents (say, /secure/onlyManagers.html, /secure/onlySSLUsers.html ecc...) using Interceptors. I could then have my WebService to support some operations usable directly from a remote system (authenticated only using its certificate), some usable only from double authenticated users and some others directly accessible using simple HTTP BASIC authentication. I created a simple X509AuthenticatedVoter that looks for a X509_ESTABLISHED config attribute and grants access if the Authentication object contains X509WebAuthenticationDetails. I made some simple test and it seems to work. Probably there's more space for this, such implementing some mechanism to control roles of either user and remote system... but for now I've not so complex needs. Bye Davide Romanini ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
