Thanks, Niklas. Unfortunately we cannot control the clients. We were told that the client's are built to never send PASS command and expect either a 2XX reply on the USER command or 5XX reply. In other words, the server should perform the authentication soon after it receives the USER command (if the client was authenticated with digital certificates), and send a "230 logged in". If the client was not authenticated with digital certificate, then we need to fall back to the regular mode, and send a "331 password required" reply.
I guess, I will see if I can poke holes into the code and see if I can get it to work. Would you be willing to consider this as an enhancement and like to have the code submitted? On Wed, Apr 6, 2011 at 10:52 AM, Niklas Gustavsson <[email protected]> wrote: > Hi > > My suggestion would be to let the client execute the PASS command with > any password (blank, fixed, random). Then, implement UserManager and > perform the certificate check in the authenticate() method. The > certificate chain is included in the UsernamePasswordAuthentication > object. > > We actually supported this out of the box with FtpServer at one time, > but decided to remove it due to lack of a spec. > > /niklas > > On Tue, Apr 5, 2011 at 11:27 PM, Sai Pullabhotla > <[email protected]> wrote: >> Dear Developers, >> >> I'm trying to make the FTPS authentication work without requiring a >> password from the FTP clients. I was hoping to get the authentication >> done with just user name and a client certificate. I thought may be I >> could intercept the "before USER" command in an Ftplet, check the user >> name, and the certificate, and if the certificate belongs to the user >> (based on our internal database), update the FtpSession to set "login >> completed". >> >> So, I tried to use >> FtpSession.setAttribute("org.apache.ftpserver.user", "MyUser"). >> >> The above call fails with IllegalArgumentException from >> DefaultFtpSession.setAttribute(String, Object) method. It basically >> does not allow manipulating the internal session attributes. >> >> So, is there another way to accomplish what I need. In essence, the >> FTP clients would connect (with a client certificate), and send the >> USER command. They will never send the PASS command. As soon as I >> receive the USER command, I should be able to determine if the user >> should be considered logged in based on their user name and >> certificate. >> >> I appreciate any help you could provide on this. >> >> Regards, >> Sai Pullabhotla >> >
