Hi Greg, Looks cool. BTW, it might be worth using a combination of the serial number and issuer if the subjectDN doesn't work, since the issuer on its own won't be unique and I think this will thwart the jboss authentication caching on principal.
I have been using the following function to get a unique string out of the certificate. It's a bit specific to us because AFAIK we index the certs on serial&issuer, but may be of use? /** * Takes an X509Certificate object and extracts the certificate's serial * number and issuer in order to construct a filter that can be used for * finding the user's entry in GDS. * * @param cert the user's certificate. * @return an LDAP filter for retrieving the user's entry. */ private String getFilterFromCertificate(X509Certificate cert) { StringBuffer buff = new StringBuffer(); String serialNumber = cert.getSerialNumber().toString(16).toUpperCase(); if (serialNumber.length() % 2 != 0) { buff.append("0"); } buff.append(serialNumber); buff.append(" "); buff.append(cert.getIssuerDN().toString()); String filter = buff.toString(); return filter; } Cheers, Phil > -----Original Message----- > From: Greg Wilkins [mailto:[EMAIL PROTECTED]] > Sent: 21 September 2002 10:50 > To: [EMAIL PROTECTED] > Cc: '[EMAIL PROTECTED]' > Subject: Re: [JBoss-dev] Re: [jetty-discuss] isValid() not a good fit > for certs > > > Phil, > > It has been suggested that Jetties approach of testing each > certificate > in turn until one passes is incorrect. As the array of certificates > indicates the chain of trust and they all need to be checked to > verify authentication. > > As we are already passing an object as a credential to the realm, I > suggest that we pass the entire array of certificates to the realm for > it to check: > > java.security.cert.X509Certificate[] certs = > (java.security.cert.X509Certificate[]) > > request.getAttribute("javax.servlet.request.X509Certificate"); > if (certs==null || certs.length==0 || certs[0]==null) > return null; > > Principal principal = certs[0].getSubjectDN(); > if (principal==null) > principal=certs[0].getIssuerDN(); > UserPrincipal user = > > realm.authenticate(principal==null?"clientcert":principal.getName(), > certs,request); > return user; > > > Would that be an appropriate thing to do? > > Note that I agree with Scott that we do not need a mutable > Principal returned. > > cheers > > > > -- > Greg Wilkins<[EMAIL PROTECTED]> Phone/fax: +44 7092063462 > Mort Bay Consulting Australia and UK. http://www.mortbay.com > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > Jboss-development mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-development > ---------------------------------------------------------------------- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. ---------------------------------------------------------------------- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development