Hi Greg,
Looks cool. BTW, it might be worth using a combination of the serial number
and issuer if the subjectDN doesn't work, since the issuer on its own won't
be unique and I think this will thwart the jboss authentication caching on
principal.
I have been using the following function to get a unique string out of the
certificate. It's a bit specific to us because AFAIK we index the certs on
serial&issuer, but may be of use?
/**
* Takes an X509Certificate object and extracts the certificate's serial
* number and issuer in order to construct a filter that can be used for
* finding the user's entry in GDS.
*
* @param cert the user's certificate.
* @return an LDAP filter for retrieving the user's entry.
*/
private String getFilterFromCertificate(X509Certificate cert) {
StringBuffer buff = new StringBuffer();
String serialNumber =
cert.getSerialNumber().toString(16).toUpperCase();
if (serialNumber.length() % 2 != 0) {
buff.append("0");
}
buff.append(serialNumber);
buff.append(" ");
buff.append(cert.getIssuerDN().toString());
String filter = buff.toString();
return filter;
}
Cheers,
Phil
> -----Original Message-----
> From: Greg Wilkins [mailto:[EMAIL PROTECTED]]
> Sent: 21 September 2002 10:50
> To: [EMAIL PROTECTED]
> Cc: '[EMAIL PROTECTED]'
> Subject: Re: [JBoss-dev] Re: [jetty-discuss] isValid() not a good fit
> for certs
>
>
> Phil,
>
> It has been suggested that Jetties approach of testing each
> certificate
> in turn until one passes is incorrect. As the array of certificates
> indicates the chain of trust and they all need to be checked to
> verify authentication.
>
> As we are already passing an object as a credential to the realm, I
> suggest that we pass the entire array of certificates to the realm for
> it to check:
>
> java.security.cert.X509Certificate[] certs =
> (java.security.cert.X509Certificate[])
>
> request.getAttribute("javax.servlet.request.X509Certificate");
> if (certs==null || certs.length==0 || certs[0]==null)
> return null;
>
> Principal principal = certs[0].getSubjectDN();
> if (principal==null)
> principal=certs[0].getIssuerDN();
> UserPrincipal user =
>
> realm.authenticate(principal==null?"clientcert":principal.getName(),
> certs,request);
> return user;
>
>
> Would that be an appropriate thing to do?
>
> Note that I agree with Scott that we do not need a mutable
> Principal returned.
>
> cheers
>
>
>
> --
> Greg Wilkins<[EMAIL PROTECTED]> Phone/fax: +44 7092063462
> Mort Bay Consulting Australia and UK. http://www.mortbay.com
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Jboss-development mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/jboss-development
>
----------------------------------------------------------------------
If you have received this e-mail in error or wish to read our e-mail
disclaimer statement and monitoring policy, please refer to
http://www.drkw.com/disc/email/ or contact the sender.
----------------------------------------------------------------------
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Jboss-development mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-development
