Michael Michael Ströder wrote:
Our company does not consider this a strong enough authentication method for our intranet. Whilst it might be unusual for a certificate to be compromised, in a big company we cannot guarantee that some employees won't make the mistake of storing their key with an empty password on a memory stick. Requiring the user to also enter the correct username and password provides a greater level of security.It seems I don't understand your issue.Andy Cowling wrote:4. We use a webflow that first executes the X509Check - and then if successful, passes the user to the login form. Invalid cert uses do not see the login form.If you already successfully authenticated the user via X509Check why do you present a login form?
The credentials object passed to AuthenticationManagerImpl during the X509Check phase of our webflow contains the certificate. But during the login form submission it does not - even though the browser has no doubt sent the client cert with both http requests.5. In the login form authentication handler the certificate is made available (yet),What does "the certificate is made available" mean?
Yes. The uid from the cert (mapped from the cert's email address via LDAP), and the username provided in the login form, are the authz-ID.but the username (and password) from the login form is. This latter username (and password) must correspond to a uid and a matching password in LDAP.That's normal.6. What we're asking for is conceptually simple. We just need to check that the uid in (3) matches the uid in (5) [i.e. uid1.compareTo(uid2) == 0]If you can successfully map the user after X509Check via CredentialsToLDAPAttributePrincipalResolver to the uid why do you need that? Is the uid then your authz-ID?
Cheers Andy -- *Andy Cowling | UK Platform Management* *Interactive Data Managed Solutions Ltd* ----------------------------------------------------------------------------------- Suite 1101, Eagle Tower | Montpellier Drive | Celtenham GL50 1TA | GL50 1LE Tel: +44 (0)1242 6941 15 | Fax: +44 (0)1242 6941 01 [email protected] http://www.interactivedata-ms.com/This message (including any files transmitted with it) may contain confidential and/or proprietary information, is the property of Interactive Data Corporation and/or its subsidiaries, and is directed only to the addressee(s). If you are not the designated recipient or have reason to believe you received this message in
error, please delete this message from your system and notify the sender immediately. An unintended recipient's disclosure, copying, distribution, or use of this message or any attachments is prohibited and may be unlawful.Interactive Data (Europe) Ltd Registered No. 949387 England Registered Office:
Fitzroy House 13-17 Epworth Street. London. EC2A 4DL
smime.p7s
Description: S/MIME Cryptographic Signature
