And that was the wrong link, sorry: http://wiki.restlet.org/docs_2.0/13-restlet/27-restlet/46-restlet.html
On Mon, Jun 6, 2011 at 2:21 PM, Matt Kennedy <[email protected]> wrote: > Sorry, forgot to include the link: > http://wiki.restlet.org/docs_1.1/13-restlet/27-restlet/46-restlet.html > > > On Mon, Jun 6, 2011 at 2:20 PM, Matt Kennedy <[email protected]> wrote: > >> There are two steps here, authenticating the client cert, and authorizing >> the user, which correspond to the org.restlet.routing.filter.Authenticator >> and org.restlet.routing.filter.Authorizer classes. These sit in front of the >> resource you are controlling access to. In the cases of client >> certificates, the authenticator is really merely checking for the existence >> of client certs available on the connection, the SSL layer has already >> "verified" them and stashed them where restlet can access them, which is: >> getRequest().getAttributes().get("org.restlet.https.clientCertificates"), >> which gives you a list (usually of length 1) of >> java.security.cert.X509Certificate objects I think. >> >> You can use that to get the DN, and then I would put that in a field of >> the restlet User object or a custom subclass thereof. Then when it gets to >> your authorizer, you use the DN you pulled off the cert to query an LDAP to >> determine if the user can do what they are attempting or not. >> >> This is a good place to start research. I could have sworn that at one >> point Bruno Harbulot had posted a patch for a ClientCertAuthenticator.java >> to the issue tracker, but I have no clue what happened to it. >> >> -Matt >> >> >> >> >> >> On Mon, Jun 6, 2011 at 8:44 AM, lambda daku <[email protected]> wrote: >> >>> Hi, >>> >>> I have a Restlet application running on jetty usiing https (with client >>> side >>> authn). The required behavior is to intercept the client request and >>> extract >>> the DN on the server side (in-bound), on which the authorization will >>> take >>> place. Whereby the DN/x.509 would be matched against some external entity >>> (ldap) where the DN/x.509 certs are stored. >>> >>> Is there any standard way to add interceptors on the client as well as on >>> the server side to authorize the user based on a particular DN/x.509 or >>> any >>> other credential? >>> >>> Thanks >>> Daku >>> >>> >>> >>> -- >>> View this message in context: >>> http://restlet-discuss.1400322.n2.nabble.com/fine-grained-authorization-based-on-DN-X-509-tp6444949p6444949.html >>> Sent from the Restlet Discuss mailing list archive at Nabble.com. >>> >>> ------------------------------------------------------ >>> >>> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759025 >>> >> >> > ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759112
