The jetty ClientCertAuthenticator has the following code
java.security.cert.X509Certificate[] certs =
(java.security.cert.X509Certificate[])
request.getAttribute("javax.servlet.request.X509Certificate");
if (certs==null || certs.length==0 || certs[0]==null)
return null;
for (int i=0;i<certs.length;i++)
{
Principal principal = certs[i].getSubjectDN();
UserPrincipal user = realm.authenticate(principal.getName(),
certs[i],
request);
if (user!=null)
return user;
}
Thus the DN for the certificate is used as the principal name and
each certificate is tried until one succeeds.
Note there is no requirement on the abstract jetty realm to return a user
with the same principal as passed to realm.authenticate, so the name
can be changed by the realm.
The subject DN is optional, so I think I had better protect this
code from a null pointer. In future I will pass a principal of "clientcert"
if no subjectDN is available (unless you have a better suggestion).
cheers
Dawes, Phil wrote:
> Hi all,
>
> The AuthenticationManager.isValid(principal,credential) isn't a good fit for
> certificates AFAICS, because you don't know the principal name before you've
> authenticated the credential.
>
> I am extending the jetty and tomcat bindings to support certificate
> authentication to a JAAS loginmodule, and am having to create a dummy
> principal to hack round this.
>
> This works, but getting the principal name out of the httprequest object
> returns a dummy name (I'm using cert serial and issuer).
>
> I was wondering:
>
> 1) Is there a better way of doing this?
> (e.g. should I be using JAAS directly rather than the jboss security
> interfaces)
>
> 2) Is the AuthenticationManager interface going to change in the near future
> to accomodate certs etc..?
>
> Cheers,
>
> Phil
>
>
>
> ----------------------------------------------------------------------
> If you have received this e-mail in error or wish to read our e-mail
> disclaimer statement and monitoring policy, please refer to
> http://www.drkw.com/disc/email/ or contact the sender.
> ----------------------------------------------------------------------
>
>
> ------------------------ Yahoo! Groups Sponsor ---------------------~-->
> Plan to Sell a Home?
> http://us.click.yahoo.com/J2SnNA/y.lEAA/MVfIAA/CefplB/TM
> ---------------------------------------------------------------------~->
>
> For the latest information about Jetty, please see http://jetty.mortbay.org
>
> To alter your subscription to this list goto
>http://groups.yahoo.com/group/jetty-discuss
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
--
Greg Wilkins<[EMAIL PROTECTED]> Phone/fax: +44 7092063462
Mort Bay Consulting Australia and UK. http://www.mortbay.com
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Jboss-development mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-development
