Thanks for the reply. I have few comments on your reply.
Usually the certificate received at the server side has atleast 2 certificates - one is a public key of the client and the rest are "n" trusted entries (in my case it is 1). As you have mentioned about the getRequest() method, where do you access it in a resource or in a application class? I am intercepting the requests in an application class (which extends from JaxRsApplication), whereby I am overriding the handle(req,res) method and and getting the desired attributes, is the following were you referring to?: public class MyJaxRsApplication extends JaxRsApplication{ @Override public void handle(Request request, Response response) { Map<String, Object> map = request.getAttributes(); @SuppressWarnings("unchecked") List<X509Certificate> lst = (List<X509Certificate>) map.get("org.restlet.https.clientCertificates"); //however the first item in the above list is the user's public key //here, delegation to the authorization PEP, PAP and PIP will be made } .. } Many thanks Daku -- View this message in context: http://restlet-discuss.1400322.n2.nabble.com/fine-grained-authorization-based-on-DN-X-509-tp6444949p6448938.html Sent from the Restlet Discuss mailing list archive at Nabble.com. ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759531