Why ? the login module can use ldap to make sure the certificate is correctly associated to the user and retrieve the roles at the same time.
On Thu, Mar 7, 2013 at 11:40 AM, Christian Schneider < ch...@die-schneider.net> wrote: > Validation in JAAS makes sense. Still we would then need to contact ldap > to get the roles. So we would still have to turn off validation in the ldap > part. > > Christian > > > On 07.03.2013 11:25, Guillaume Nodet wrote: > >> Is that a limitation of wss4j ? >> I see spring-ws can do it (or i suppose, see >> https://src.springframework.**org/svn/spring-ws/tags/spring-** >> ws-1.0.0/security/src/main/**java/org/springframework/ws/** >> soap/security/xwss/callback/**jaas/**JaasCertificateValidationCallb** >> ackHandler.java<https://src.springframework.org/svn/spring-ws/tags/spring-ws-1.0.0/security/src/main/java/org/springframework/ws/soap/security/xwss/callback/jaas/JaasCertificateValidationCallbackHandler.java> >> ). >> Maybe they reimplemented the whole thing ... >> >> Anyway, if that's a limitation of wss4j, I would suggest re-doing the >> certificate validation in jaas (and implement correct certificate login >> modules) until this can be made pluggable in wss4j. >> >> >> On Thu, Mar 7, 2013 at 10:48 AM, Christian Schneider < >> ch...@die-schneider.net> wrote: >> >> In certificate based authentication this will be connecting the >>> certificate to a certain user identity. >>> This is also an open point in our project. We currently map the subject >>> DN >>> of the user cert 1:1 to the DN of the user in LDAP but in general >>> I think we will need to provide a mapping here. >>> >>> So I think the process is like that: >>> 1. User sends certificate + proof of possession to STS >>> 2. WS-Security validates the certificate and the proof of possesion. The >>> result is an authenticated Prinicipal that contains the subjectDN of the >>> cert >>> 3. We then have to map the subjectDN to a ldap search to find the user >>> 4. Then we retrieve the roles of the user >>> >>> Honestly I would prefer to do steps 2-4 in JAAS but the way cert based >>> auth in STS currently works step 2 is done by WS-Security before we have >>> the chance to >>> tap into it using jaas. >>> >>> Christian >>> >>> >>> On 07.03.2013 10:33, Guillaume Nodet wrote: >>> >>> I think there are two different things, verifying the crendentials >>>> validity >>>> and authenticating the user. >>>> The first one can be done by ws-security but the second one should be >>>> done >>>> by jaas. >>>> Though it can be just verifying the mapping between the given credential >>>> and the user. >>>> >>>> For public key authentication used by SSH, that's what we do. The key >>>> is >>>> verified by SSH, and once the public key is verified, we simply >>>> authenticate the user by verifying that the public key has been >>>> configured >>>> for the user. >>>> >>>> I wonder if we could do the same for WS-security. The ws-sec layer >>>> would >>>> verify the crendentials (checking trust), and delegate to jaas the >>>> association of the crendential with the user (and retrieve associated >>>> roles >>>> at the same time). >>>> So I think, what we need is a new LDAPLoginModule (and maybe another one >>>> for non ldap env) that could verifiy that the given crendential is >>>> associated with the user. >>>> >>>> >>>> >>>> -- >>> Christian Schneider >>> http://www.liquid-reality.de >>> >>> Open Source Architect >>> http://www.talend.com >>> >>> >>> >> > > -- > Christian Schneider > http://www.liquid-reality.de > > Open Source Architect > http://www.talend.com > > -- ------------------------ Guillaume Nodet ------------------------ Red Hat, Open Source Integration Email: gno...@redhat.com Web: http://fusesource.com Blog: http://gnodet.blogspot.com/
