-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Lucas,
(Bringing this back onto the list; apologies for inadvertently replying off-list) On 4/21/17 12:25 PM, Lucas S. Silva wrote: > Hi Christopher, > > Thanks for the reply. > > Yes, the goal is to check the user certificate against some > configurable OIDs. If you want to check the user certificate for some OID other than the usual subject DN, you want to use a custom username-retriever on your realm: http://tomcat.apache.org/tomcat-8.0-doc/config/realm.html Search for "X509UsernameRetrieverClassName", then write a class that implements that interface. You can return any String value you can pull from the certificate. The OID is up to you. The authenticator will use the username returned by that class's getUsername(X509Certificate) method against whatever user data store you have configured (e.g. DataSource/JNDI/etc.). If you want to perform some other kind of authentication (like just verifying that the user's certificate meets some kind of requirement, like the validity period is less than 30 days or whatever), then you only have a few options IMO: 1. Write your own authenticator (I'd recommend subclassing whichever one you like already, and just add your own checks before/afetr delegating authentication to the superclass). 2. Use a X509UsernameRetriever as above and throw an exception if the certificate doesn't meet your requirements. 3. Write a Filter that takes the client's certificate from the request attributes, checks it, and takes appropriate action (logout? throw an exception? log an error?) if the cert doesn't meet your requirements. Hope that helps. - -chris > On 21 April 2017 at 16:02, Christopher Schultz > <ch...@christopherschultz.net > <mailto:ch...@christopherschultz.net>> wrote: > > Lucas, > > On 4/21/17 2:55 AM, Lucas S. Silva wrote: >> My end goal is to check the certificates OID I did some research >> and I found that in the RealmBase there is a method> >> authenticate(X509Certificate certs) >> >> and int the X509Certificate there is >> >> public abstract String getSigAlgOID() >> >> https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/real m/RealmBase.html#authenticate(java.security.cert.X509Certificate[]) > >> >> <https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/realm/ RealmBase.html#authenticate(java.security.cert.X509Certificate[])> >> >> I suspect those should help me checking the certificate >> Assurance Levels? > > Are you trying to authenticate a user using a specific OID (which > one?) in the cert, or are you trying to determine if the > certificate is an EV certificate specifically? > > -chris > >> On 20 April 2017 at 19:50, Christopher Schultz >> <ch...@christopherschultz.net >> <mailto:ch...@christopherschultz.net> >>> wrote: >> >> Lucas, >> >> On 4/20/17 1:12 PM, Lucas S. Silva wrote: >>>>> I am trying to implement a custom JNDIRealm that will do >>>>> some validations based on the Extended Validation >>>>> Certificates like the OID it this supported by tomcat? >> >> The term "Extended Validation" has a special meaning when you are >> talking about X.509 certificates. What do you mean, here, >> specifically, when you say "Extended Validation Certificates"? >> >>>>> Or I will just get whatever the LDAP server supports? I >>>>> could not find which method I would have to overwrite to >>>>> get the extended validation certificates:> >>>>> https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/r ealm > >>>>> >>>>> <https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/realm> >> /JNDIRealm.html >> >> What, >>>>> >> specifically, are you trying to accomplish? >> >> -chris >>> >>> -------------------------------------------------------------------- - - > >>> >>> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > <mailto:users-unsubscr...@tomcat.apache.org> >>> For additional commands, e-mail: users-h...@tomcat.apache.org > <mailto:users-h...@tomcat.apache.org> >>> >>> >> > > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJY+kSGAAoJEBzwKT+lPKRYKAoP/2UuBb5zeJoz0D1RU5Fsy9/G VRB09r0V133csXQ2m3C4bVzUepEteZgMvor+aag9L0cZv5IoupMzpUAblp/J6gp8 vKqXNFTZH67KGCl1DgndIDrDkcKGRJIFksCWqk0p+ZR4+xPK/Rp2U++77QpaeVMG 38pHn5DKT4/uM5lIo4NrAunin5b5a4JmeU7jFDi1eucHvBhsoMx1HamZwWBbCHx1 ux4MssGKM1OkiW1ogqctkOronQLo5VhTunRKJKyKedbpfsYbDhAKaCBCQcnMEokF VOPJ1OnN+bCos7pbeP7wQ+tO7SWgE7qsLjMVhEjZkz1W740d8i0QyZMu/3pGNEWq mclkDi+P8nXnNQENaiE0ZfTACh2ifiOL5B/QVfTpUh+NSsk5uMQYi6o4yL7iD5Lk 1kQAYCqMGVQuDy0Vdl3+go6mN0TZiq+iYKFOKxx3dn8aWqhLOGISOaqrIrTjIGK7 BP8A1eTIL7wR8BKHXuj0fybzO+MX8y2S6fTWHVSwVSPohkgxLLNNE8FCx8Goh/Dk zDrd1qCh0P23FF8VlcczlCQk0PVBvd/575k10OtOw2IFkJZL5OPgXq14nY8GU51O fvvMVlgOY6glFT6Z70xcCDczDuh15KP1riNc0vLeJIeR/Ng5nOnhbUZLD1dKC0Bk qVg+uPvtCkzaA73mkqDe =THjK -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
