Hi Greg, Hi Scott, Thanks for your replies.
Unfortunately, unlike Jetty, JbossSX does require that the principal be the same for each subsequent call into the security layer after the initial auth, since JaasSecurityManager caches the subject information based on principal. This means AFAIK I can't switch the principal to a different one after the authenticate. <thinks> Although I suppose Jetty could use a Principal which allowed the name to be changed retrospectively without changing the hashcode - would this work?. </thinks> I ought to elaborate - the real problem for me is not thinking of a name for a dummy principal to use. The real problem is that after authentication, the application writers will want to get more information about the user other than just the principal name. In order to do this we have a service which returns information about the user when passed the authenticated principal. This means that the principal name needs to be something sensible (currently UserID in our weblogic setup). Weblogic has an api (like jetty's) which allows the principal to be created after the authentication, thus allowing the realm to dictate what the authenticated principal name is. How does this sound as a solution: - jetty ClientCertAuthenticator uses subjectDN, or failing that, CertSerial&Issuer as the username (not important really) - The Jetty JbossUserRealm creates a principal which can have its name changed without changing the object hashcode. - Realm calls isValid(principal, cert) - Home baked JAAS LoginModule authenticates certificate, and populates active subject on commit. - Realm then sets the principal name to be that of the first principal in the active subject. This means that the author of the JAAS login module can dictate what name of the principal after the authentication has taken place, and the Jetty JbossUserRealm is still pretty generic. Does this sound reasonable? Cheers, Phil > -----Original Message----- > From: Greg Wilkins [mailto:[EMAIL PROTECTED]] > Sent: 20 September 2002 13:14 > To: [EMAIL PROTECTED] > Cc: '[EMAIL PROTECTED]' > Subject: [JBoss-dev] Re: [jetty-discuss] isValid() not a good fit for > certs > > > > The jetty ClientCertAuthenticator has the following code > > java.security.cert.X509Certificate[] certs = > (java.security.cert.X509Certificate[]) > > request.getAttribute("javax.servlet.request.X509Certificate"); > if (certs==null || certs.length==0 || certs[0]==null) > return null; > > for (int i=0;i<certs.length;i++) > { > Principal principal = certs[i].getSubjectDN(); > UserPrincipal user = > realm.authenticate(principal.getName(), > certs[i], > request); > if (user!=null) > return user; > } > > > Thus the DN for the certificate is used as the principal name and > each certificate is tried until one succeeds. > > Note there is no requirement on the abstract jetty realm to > return a user > with the same principal as passed to realm.authenticate, so the name > can be changed by the realm. > > The subject DN is optional, so I think I had better protect this > code from a null pointer. In future I will pass a principal > of "clientcert" > if no subjectDN is available (unless you have a better suggestion). > > cheers > > > Dawes, Phil wrote: > > Hi all, > > > > The AuthenticationManager.isValid(principal,credential) > isn't a good fit for > > certificates AFAICS, because you don't know the principal > name before you've > > authenticated the credential. > > > > I am extending the jetty and tomcat bindings to support certificate > > authentication to a JAAS loginmodule, and am having to > create a dummy > > principal to hack round this. > > > > This works, but getting the principal name out of the > httprequest object > > returns a dummy name (I'm using cert serial and issuer). > > > > I was wondering: > > > > 1) Is there a better way of doing this? > > (e.g. should I be using JAAS directly rather than the > jboss security > > interfaces) > > > > 2) Is the AuthenticationManager interface going to change > in the near future > > to accomodate certs etc..? > > > > Cheers, > > > > Phil > > > > > > > > > ---------------------------------------------------------------------- > > If you have received this e-mail in error or wish to read > our e-mail > > disclaimer statement and monitoring policy, please refer to > > http://www.drkw.com/disc/email/ or contact the sender. > > > ---------------------------------------------------------------------- > > > > > > ------------------------ Yahoo! Groups Sponsor > ---------------------~--> > > Plan to Sell a Home? > > http://us.click.yahoo.com/J2SnNA/y.lEAA/MVfIAA/CefplB/TM > > > -------------------------------------------------------------- > -------~-> > > > > For the latest information about Jetty, please see http://jetty.mortbay.org > > To alter your subscription to this list goto http://groups.yahoo.com/group/jetty-discuss > > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ > -- Greg Wilkins<[EMAIL PROTECTED]> Phone/fax: +44 7092063462 Mort Bay Consulting Australia and UK. http://www.mortbay.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development ---------------------------------------------------------------------- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. ---------------------------------------------------------------------- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
