That's great! If it contains the client IP and certificate chain, then it certainly should meet my needs. The certificate DN matching also sounds very useful, but for now, I can just check the certfiicate information for the matching that I need. One thing that I've been struggling with though is to get the SSL Socket Factory to include the use of a CRL file in the trust manager. It works ok when the server socket initializes, but I have not been able to to refresh the CRL data dynamically. If you have any ideas about that or think it's a worthwhile addtion, I can add it is an enhancement request. Thanks for your efforts! Gary
________________________________ From: news on behalf of Niklas Gustavsson Sent: Thu 12/21/2006 11:49 AM To: [email protected] Subject: Re: [jira] Created: (FTPSERVER-52) Add onLoginFail() to Ftplet interface Niklas Gustavsson wrote: > I'm currently looking into this request. If I understand your > requirements correctly you would like to have the peer certificate chain > available when the user logs in using the regular USER/PASS commands? > I've refactored the UserManager interface to allow for a more general > Authenication, writing one that includes the cert chain would be simple. This is now implemented. During authentication the user manager now gets metadata about the user (current the remote IP address and the certificate chain if existing). A user manager can then use these to make a more informed decision on authentication. Right now the default user managers ignore this data, if someone wants some control in there by default I'll be happy to look into it. I might also add a control for matching the certificate DN with a DN pattern configured for the user. Would this be of interest? Gary, I hope this is enough for your needs. If not, feel free to bug me about it :-) /niklas
