Of course JRun supports client-side certificates. Its part of the Servlet spec.
You have to enable your server for SSL and to also require client certificates. Then, the certificate information is available to JRun servlets. HOWEVER, exactly what is available depends on the server that you use. For Netscape, for example, you can use the certificate factory to actually get the client's certificate. For others, they are in environment variables that are generally NOT listen in the environment variable enumerations. So, you write a small perl script to list them all. Then if you know what they are, you can get them in your servlets and do your own secure access control with NO cookies and NO URL rewriting. I wrapped a perl electronic Lab Notebook in a JRun 3-based servlet to wenable full PKI authentication and authorization. It all works best if you have your own CA, because you can untrust all other CAs, and then your users will only get presented with a choice of your certificate to use. That is the first big access control hurdle. Then, you can easily use any field in the CN for access decisions. Even better, you can add your own custom fields in the certificate for role-based access control decisions. I attach a recent talk which points out some pitfalls. I STRONGLY recommend NOT using IIS or IE, as they are totally insecure and the users cannot figure out howe to protect their certificates with IE. Mozilla does a great job with certificates now. Jim -- James A. Rome Oak Ridge National Laboratory Computer Science and Mathematics Division Building 3546, MS 6013 Oak Ridge, TN 37831-6013 Phone: (865) 574-1306 E-mail: [EMAIL PROTECTED] URL: http://www.ornl.gov/~jar ______________________________________________________________________ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
