I think, it is not a good idea to use the subject of the certificate as username.
1) You could not mix form or basic authentication with certificate authentication. You have to implement a certificate to user mapping within your application 2) A certificate can change This is what my JNDIRealm* Classes try to archive. It makes no difference if one uses certificates or any other authentication, the username is always the same. The mapping to the real username is done during authentication, transparently to the application. Mario ----- Original Message ----- From: "Bill Barker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, June 21, 2003 9:01 AM Subject: Re: How to use digital certificates > Assuming that iPlanet is sending a normal x509 chain, then it should be > mostly working. You'll have to make certain that the root-CA is installed > in cacerts (I'm assuming that you are using JSSE) so that the client-cert > can be verified. At least with the Sun JVM, I believe that only Verisign > and Thwate are installed by default. > > Getting the name is a bit more of a problem. It is usually the CN of the > Subject, but not always. If this is the case with your certs, then you'll > need a custom Realm that extracts the CN and validates the user (MemoryRealm > uses the full Subject as the user-name). > > "appa rao" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > Thanks for the reply.. > > let me clearly tell you the problem.. > > we use certificates generated by iPlanet Certificate Server. All the > client(user) certificates are on a swipe card which are read by Gemplus card > reader using USB port.... The problem is when the user swipes it, user > should automatically be authenticated..(currently we have another web > application running on iPlanet web server - which picks up username from the > card and authenticates against LDAP). Is this possible in Tomcat? SSL is > working fine - only problem is authentication.. > > > > Thanks > > Appa > > > > Bill Barker <[EMAIL PROTECTED]> wrote: > > Ok, everyone else is signing their replies. I can do that too ;-). > > > > Out-of-the-box, TC 4.1.24 has very limited support for x509 auth. Only the > > (deprecated) MemoryRealm actually supports it. Also, only the Stand-Alone > > JSSE Connector will correctly retrieve the x509 certs in the current > release > > version (the Jk-Coyote Connector is fixed in the CVS, and the fixes for > the > > Stand-Alone PureTLS Connector will show up before 4.1.25 comes out). > > > > > > "Mario Ivankovits" wrote in message > > news:[EMAIL PROTECTED] > > > I have developed a solution, where you can use client-certificates for > > user > > > authentication. > > > > > > You can find information at > > > http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 > > > > > > Currently an implementation for "Standard LDAP" and "Windows-2000 > > > ActiveDirectory" is available. > > > Using W2K-AD you might have troubles, since i have tested it only with > two > > > different client-certificates. > > > > > > Mainly you have to import the certificate in your LDAP Server, and then > > the > > > user-mapping is done by my JNDIRealm* classes. > > > > > > Mario > > > > > > > > > ----- Original Message ----- > > > From: "appa rao" > > > To: > > > Sent: Friday, June 20, 2003 7:33 AM > > > Subject: How to use digital certificates > > > > > > > > > > Hi, > > > > > > > > Can any one give me an example of how to use Digital Certificates for > > > authentication and authorizatioin in Tomcat? I am struggling to under > the > > > concept of certificates and their use in authentication and > > authorization.. > > > I am using Tomcat - 4.1.24. > > > > > > > > Thanks in advance.. > > > > > > > > appa > > > > > > > > SMS using the Yahoo! Messenger;Download latest version. > > > > > > ATTACHMENT part 2 application/x-pkcs7-signature name=smime.p7s > > SMS using the Yahoo! Messenger;Download latest version. > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
