In certificate based authentication this will be connecting the
certificate to a certain user identity.
This is also an open point in our project. We currently map the subject
DN of the user cert 1:1 to the DN of the user in LDAP but in general
I think we will need to provide a mapping here.
So I think the process is like that:
1. User sends certificate + proof of possession to STS
2. WS-Security validates the certificate and the proof of possesion. The
result is an authenticated Prinicipal that contains the subjectDN of the
cert
3. We then have to map the subjectDN to a ldap search to find the user
4. Then we retrieve the roles of the user
Honestly I would prefer to do steps 2-4 in JAAS but the way cert based
auth in STS currently works step 2 is done by WS-Security before we have
the chance to
tap into it using jaas.
Christian
On 07.03.2013 10:33, Guillaume Nodet wrote:
I think there are two different things, verifying the crendentials validity
and authenticating the user.
The first one can be done by ws-security but the second one should be done
by jaas.
Though it can be just verifying the mapping between the given credential
and the user.
For public key authentication used by SSH, that's what we do. The key is
verified by SSH, and once the public key is verified, we simply
authenticate the user by verifying that the public key has been configured
for the user.
I wonder if we could do the same for WS-security. The ws-sec layer would
verify the crendentials (checking trust), and delegate to jaas the
association of the crendential with the user (and retrieve associated roles
at the same time).
So I think, what we need is a new LDAPLoginModule (and maybe another one
for non ldap env) that could verifiy that the given crendential is
associated with the user.
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
http://www.talend.com
