Hi Luciano:
I configured my Orion in the following way:
1. SECURE-WEB-SITE.XML:
I put this line:
<ssl-config keystore="../my/keystore/keystore"
keystore-password="password" needs-client-auth="true"/>
Where keystore y smai keystore like explains the SSL-HOWTO.TXT of
Orion documentation. And needs-client-auth="true" is necesary for request an
client certificate.
2. PRINCIPALS.XML
<user username="elopez" password="xxxx">
<description>The default user</description>
<certificate-issuer>CN=VeriSign Class 1 CA
Individual Subscriber-Persona Not Validated,
OU="www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)98",
OU=VeriSign Trust Network, O="VeriSign, Inc."</certificate-issuer>
<certificate-serial-id>551496365129825846627......</certificate-serial-id>
<group-membership group="users"/>
<group-membership group="guests"/>
<group-membership group="administratorss"/>
</user>
I used a trial certificate by VeriSign.
In my Servlet I did this:
java.security.cert.X509Certificate cert =
(java.security.cert.X509Certificate)request.getAttribute("javax.servlet.requ
est.X509Certificate");
and then I used the "HttpServletRequest.isUserInRole" method to perform the
authorization:
if(request.isUserInRole("users") == true)
{
......
.....
System.out.println("Role = users");
System.out.println("Principal = " +
request.getUserPrincipal().getName());
.....
.....
}
if(request.isUserInRole("guests") == true)
{
.....
System.out.println("Role = guests");
....
}
If HttpServletRequest.isUserInRole = false means that the user doesn't exist
in this role.
NOTE: the HttpServletRequest.isUserInRole method is in Java Servlet API
2.2b. You can download this in
http://www.javasoft.com/products/servlet/download.html#specs
Good luck!, and sorry for my bad english.
> -----Mensaje original-----
> De: Montebove Luciano [SMTP:[EMAIL PROTECTED]]
> Enviado el: Miércoles, 04 de Octubre de 2000 04:55 a.m.
> Para: Orion-Interest
> CC: [EMAIL PROTECTED]
> Asunto: Re: Client certificate authentication
>
> Hi Lopez,
>
> Can you detail your "manual" identification?
>
> Luciano
>
> -----Messaggio originale-----
> Da: Lopez Esteban [mailto:[EMAIL PROTECTED]]
> Inviato: martedì 3 ottobre 2000 21.53
> A: Orion-Interest
> Oggetto: RE: Client certificate authentication
>
>
>
> I don't solve the 403 problem yet, but I can identify users using
> client certificates. I accept or not the user.
> If you are interested in this "manual" identification I can explain
> you more.
>
> > -----Mensaje original-----
> > De: Montebove Luciano [SMTP:[EMAIL PROTECTED]]
> > Enviado el: Martes, 03 de Octubre de 2000 04:59 a.m.
> > Para: Orion-Interest
> > Asunto: R: Client certificate authentication
> >
> > I can help you partially. I had the same 403 Forbidden problem and I'm
> > waiting for a response from official support (5 days).
> > For the Cert ID use the sample page ssl-user-registration.jsp in demo
> SSL.
> > It will show the cert id you are looking for.
> > If you solve the 403 problem tell me.
> >
> > ¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤øø
> > Luciano Montebove - Software Architect - Finsiel S.p.a
> > E-mail: [EMAIL PROTECTED] Phone: (+39) 06-4142-7663
> > "If you don't fail now and again, it's a sign you're playing it safe"
> > -W. Allen
> > ¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤øø
> >
> >
> >
> > -----Messaggio originale-----
> > Da: Lopez Esteban [mailto:[EMAIL PROTECTED]]
> > Inviato: lunedì 2 ottobre 2000 14.57
> > A: Orion-Interest
> > Oggetto: Client certificate authentication
> >
> >
> > Hi
> >
> > I need to authenticate clients with digital certificates, I have a
> > VeriSign
> > trial client certificate and I'm using IE 5.0. The certificate is well
> > installed in IE.
> > I'm working with Orion 1.2.9 and HTTPS. I'm using
> > <auth-method>CLIENT-CERT</auth-method> in de login config of WEB.XML
> file.
> > When I connect to the WEB site I see the follow error:
> > 403 Forbidden
> > Your cert's user does not have access to this resource
> >
> > Please, anybody could help me about this?
> >
> > Note: In the PRINCIPAL.XML file when I set the user that has a
> certificate
> > I
> > do the follow:
> >
> > <user username="A name here">
> > <description>no description</description>
> > <certificate-issuer>CN = VeriSign Class 1 CA
> > Individual Subscriber-Persona Not Validated, OU =
> > www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)98, OU =
> > VeriSign
> > Trust Network, O = VeriSign, Inc.</certificate-issuer>
> > <certificate-serial-id>I don't
> > know</certificate-serial-id>
> > <group-membership group="users"/>
> > <group-membership group="guests"/>
> > </user>
> >
> > In <certificate-serial-id> tag I've an hexa number and when I put this
> > serial number in it, the Orion throws the follow exception:
> > java.lang.NumberFormatException: 297D6F02EA75C1
> > at java.lang.Long.parseLong(Unknown Source)
> > at java.math.BigInteger.<init>(Unknown Source)
> > at java.math.BigInteger.<init>(Unknown Source)
> > at com.evermind.server.gs.<init>(JAX)
> > at com.evermind.server.XMLUserManager.ajf(JAX)
> > at com.evermind.server.XMLUserManager.ajd(JAX)
> > at com.evermind.server.XMLUserManager.bw(JAX)
> > at com.evermind.xml.XMLConfig.br(JAX)
> > at com.evermind.xml.XMLConfig.ax(JAX)
> > at com.evermind.xml.XMLConfig.ax(JAX)
> > at com.evermind.xml.XMLConfig.update(JAX)
> > at com.evermind.server.gw.run(JAX)
> > at com.evermind.util.g.run(JAX)
> > at com.evermind.util.f.run(JAX)
> >
> > What serial number I must to put in this tag?
> >
> > Thanks, Esteban
> >