[
https://issues.apache.org/jira/browse/GERONIMO-4779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12737413#action_12737413
]
David Jencks commented on GERONIMO-4779:
----------------------------------------
Previously we were using a login module that accepted CertificateCallbacks.
However, once SSL has accepted the client certificate, there is nothing further
we can reasonably do to authenticate them. All we can do is install some
principals into the subject. The jetty (and IIUC until Jarek changed it)
tomcat client cert authenticators however are not supplying certifactes but the
x509 names from them.
I think the best approack is a new login module that just adds principals to
the subject for recognized users. This is also needed for stuff like openid
where the authentication happens entirely externally and the only info we get
is the useris identity and we have to assign prinipcals that map to roles.
> Add cert authentication support for Jetty7 module
> -------------------------------------------------
>
> Key: GERONIMO-4779
> URL: https://issues.apache.org/jira/browse/GERONIMO-4779
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 2.2
> Reporter: Ivan
> Fix For: 2.2
>
> Attachments: Geronimo-4776.patch
>
>
> Current, jetty module does not support client-cert authentication
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
