Is that a limitation of wss4j ? I see spring-ws can do it (or i suppose, see https://src.springframework.org/svn/spring-ws/tags/spring-ws-1.0.0/security/src/main/java/org/springframework/ws/soap/security/xwss/callback/jaas/JaasCertificateValidationCallbackHandler.java ). Maybe they reimplemented the whole thing ...
Anyway, if that's a limitation of wss4j, I would suggest re-doing the certificate validation in jaas (and implement correct certificate login modules) until this can be made pluggable in wss4j. On Thu, Mar 7, 2013 at 10:48 AM, Christian Schneider < ch...@die-schneider.net> wrote: > In certificate based authentication this will be connecting the > certificate to a certain user identity. > This is also an open point in our project. We currently map the subject DN > of the user cert 1:1 to the DN of the user in LDAP but in general > I think we will need to provide a mapping here. > > So I think the process is like that: > 1. User sends certificate + proof of possession to STS > 2. WS-Security validates the certificate and the proof of possesion. The > result is an authenticated Prinicipal that contains the subjectDN of the > cert > 3. We then have to map the subjectDN to a ldap search to find the user > 4. Then we retrieve the roles of the user > > Honestly I would prefer to do steps 2-4 in JAAS but the way cert based > auth in STS currently works step 2 is done by WS-Security before we have > the chance to > tap into it using jaas. > > Christian > > > On 07.03.2013 10:33, Guillaume Nodet wrote: > >> I think there are two different things, verifying the crendentials >> validity >> and authenticating the user. >> The first one can be done by ws-security but the second one should be done >> by jaas. >> Though it can be just verifying the mapping between the given credential >> and the user. >> >> For public key authentication used by SSH, that's what we do. The key is >> verified by SSH, and once the public key is verified, we simply >> authenticate the user by verifying that the public key has been configured >> for the user. >> >> I wonder if we could do the same for WS-security. The ws-sec layer would >> verify the crendentials (checking trust), and delegate to jaas the >> association of the crendential with the user (and retrieve associated >> roles >> at the same time). >> So I think, what we need is a new LDAPLoginModule (and maybe another one >> for non ldap env) that could verifiy that the given crendential is >> associated with the user. >> >> >> > -- > Christian Schneider > http://www.liquid-reality.de > > Open Source Architect > http://www.talend.com > > -- ------------------------ Guillaume Nodet ------------------------ Red Hat, Open Source Integration Email: gno...@redhat.com Web: http://fusesource.com Blog: http://gnodet.blogspot.com/
