Sorry, forgot to include the link: http://wiki.restlet.org/docs_1.1/13-restlet/27-restlet/46-restlet.html
On Mon, Jun 6, 2011 at 2:20 PM, Matt Kennedy <[email protected]> wrote: > There are two steps here, authenticating the client cert, and authorizing > the user, which correspond to the org.restlet.routing.filter.Authenticator > and org.restlet.routing.filter.Authorizer classes. These sit in front of the > resource you are controlling access to. In the cases of client > certificates, the authenticator is really merely checking for the existence > of client certs available on the connection, the SSL layer has already > "verified" them and stashed them where restlet can access them, which is: > getRequest().getAttributes().get("org.restlet.https.clientCertificates"), > which gives you a list (usually of length 1) of > java.security.cert.X509Certificate objects I think. > > You can use that to get the DN, and then I would put that in a field of the > restlet User object or a custom subclass thereof. Then when it gets to your > authorizer, you use the DN you pulled off the cert to query an LDAP to > determine if the user can do what they are attempting or not. > > This is a good place to start research. I could have sworn that at one > point Bruno Harbulot had posted a patch for a ClientCertAuthenticator.java > to the issue tracker, but I have no clue what happened to it. > > -Matt > > > > > > On Mon, Jun 6, 2011 at 8:44 AM, lambda daku <[email protected]> wrote: > >> Hi, >> >> I have a Restlet application running on jetty usiing https (with client >> side >> authn). The required behavior is to intercept the client request and >> extract >> the DN on the server side (in-bound), on which the authorization will take >> place. Whereby the DN/x.509 would be matched against some external entity >> (ldap) where the DN/x.509 certs are stored. >> >> Is there any standard way to add interceptors on the client as well as on >> the server side to authorize the user based on a particular DN/x.509 or >> any >> other credential? >> >> Thanks >> Daku >> >> >> >> -- >> View this message in context: >> http://restlet-discuss.1400322.n2.nabble.com/fine-grained-authorization-based-on-DN-X-509-tp6444949p6444949.html >> Sent from the Restlet Discuss mailing list archive at Nabble.com. >> >> ------------------------------------------------------ >> >> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759025 >> > > ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759111
