fine grained authorization based on DN/X.509
Hi, I have a Restlet application running on jetty usiing https (with client side authn). The required behavior is to intercept the client request and extract the DN on the server side (in-bound), on which the authorization will take place. Whereby the DN/x.509 would be matched against some external entity (ldap) where the DN/x.509 certs are stored. Is there any standard way to add interceptors on the client as well as on the server side to authorize the user based on a particular DN/x.509 or any other credential? Thanks Daku -- View this message in context: http://restlet-discuss.1400322.n2.nabble.com/fine-grained-authorization-based-on-DN-X-509-tp6444949p6444949.html Sent from the Restlet Discuss mailing list archive at Nabble.com. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759025
Re: fine grained authorization based on DN/X.509
There are two steps here, authenticating the client cert, and authorizing the user, which correspond to the org.restlet.routing.filter.Authenticator and org.restlet.routing.filter.Authorizer classes. These sit in front of the resource you are controlling access to. In the cases of client certificates, the authenticator is really merely checking for the existence of client certs available on the connection, the SSL layer has already "verified" them and stashed them where restlet can access them, which is: getRequest().getAttributes().get("org.restlet.https.clientCertificates"), which gives you a list (usually of length 1) of java.security.cert.X509Certificate objects I think. You can use that to get the DN, and then I would put that in a field of the restlet User object or a custom subclass thereof. Then when it gets to your authorizer, you use the DN you pulled off the cert to query an LDAP to determine if the user can do what they are attempting or not. This is a good place to start research. I could have sworn that at one point Bruno Harbulot had posted a patch for a ClientCertAuthenticator.java to the issue tracker, but I have no clue what happened to it. -Matt On Mon, Jun 6, 2011 at 8:44 AM, lambda daku wrote: > Hi, > > I have a Restlet application running on jetty usiing https (with client > side > authn). The required behavior is to intercept the client request and > extract > the DN on the server side (in-bound), on which the authorization will take > place. Whereby the DN/x.509 would be matched against some external entity > (ldap) where the DN/x.509 certs are stored. > > Is there any standard way to add interceptors on the client as well as on > the server side to authorize the user based on a particular DN/x.509 or any > other credential? > > Thanks > Daku > > > > -- > View this message in context: > http://restlet-discuss.1400322.n2.nabble.com/fine-grained-authorization-based-on-DN-X-509-tp6444949p6444949.html > Sent from the Restlet Discuss mailing list archive at Nabble.com. > > -- > > http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759025 > -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759110
Re: fine grained authorization based on DN/X.509
Sorry, forgot to include the link: http://wiki.restlet.org/docs_1.1/13-restlet/27-restlet/46-restlet.html On Mon, Jun 6, 2011 at 2:20 PM, Matt Kennedy wrote: > There are two steps here, authenticating the client cert, and authorizing > the user, which correspond to the org.restlet.routing.filter.Authenticator > and org.restlet.routing.filter.Authorizer classes. These sit in front of the > resource you are controlling access to. In the cases of client > certificates, the authenticator is really merely checking for the existence > of client certs available on the connection, the SSL layer has already > "verified" them and stashed them where restlet can access them, which is: > getRequest().getAttributes().get("org.restlet.https.clientCertificates"), > which gives you a list (usually of length 1) of > java.security.cert.X509Certificate objects I think. > > You can use that to get the DN, and then I would put that in a field of the > restlet User object or a custom subclass thereof. Then when it gets to your > authorizer, you use the DN you pulled off the cert to query an LDAP to > determine if the user can do what they are attempting or not. > > This is a good place to start research. I could have sworn that at one > point Bruno Harbulot had posted a patch for a ClientCertAuthenticator.java > to the issue tracker, but I have no clue what happened to it. > > -Matt > > > > > > On Mon, Jun 6, 2011 at 8:44 AM, lambda daku wrote: > >> Hi, >> >> I have a Restlet application running on jetty usiing https (with client >> side >> authn). The required behavior is to intercept the client request and >> extract >> the DN on the server side (in-bound), on which the authorization will take >> place. Whereby the DN/x.509 would be matched against some external entity >> (ldap) where the DN/x.509 certs are stored. >> >> Is there any standard way to add interceptors on the client as well as on >> the server side to authorize the user based on a particular DN/x.509 or >> any >> other credential? >> >> Thanks >> Daku >> >> >> >> -- >> View this message in context: >> http://restlet-discuss.1400322.n2.nabble.com/fine-grained-authorization-based-on-DN-X-509-tp6444949p6444949.html >> Sent from the Restlet Discuss mailing list archive at Nabble.com. >> >> -- >> >> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759025 >> > > -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759111
Re: fine grained authorization based on DN/X.509
And that was the wrong link, sorry: http://wiki.restlet.org/docs_2.0/13-restlet/27-restlet/46-restlet.html On Mon, Jun 6, 2011 at 2:21 PM, Matt Kennedy wrote: > Sorry, forgot to include the link: > http://wiki.restlet.org/docs_1.1/13-restlet/27-restlet/46-restlet.html > > > On Mon, Jun 6, 2011 at 2:20 PM, Matt Kennedy wrote: > >> There are two steps here, authenticating the client cert, and authorizing >> the user, which correspond to the org.restlet.routing.filter.Authenticator >> and org.restlet.routing.filter.Authorizer classes. These sit in front of the >> resource you are controlling access to. In the cases of client >> certificates, the authenticator is really merely checking for the existence >> of client certs available on the connection, the SSL layer has already >> "verified" them and stashed them where restlet can access them, which is: >> getRequest().getAttributes().get("org.restlet.https.clientCertificates"), >> which gives you a list (usually of length 1) of >> java.security.cert.X509Certificate objects I think. >> >> You can use that to get the DN, and then I would put that in a field of >> the restlet User object or a custom subclass thereof. Then when it gets to >> your authorizer, you use the DN you pulled off the cert to query an LDAP to >> determine if the user can do what they are attempting or not. >> >> This is a good place to start research. I could have sworn that at one >> point Bruno Harbulot had posted a patch for a ClientCertAuthenticator.java >> to the issue tracker, but I have no clue what happened to it. >> >> -Matt >> >> >> >> >> >> On Mon, Jun 6, 2011 at 8:44 AM, lambda daku wrote: >> >>> Hi, >>> >>> I have a Restlet application running on jetty usiing https (with client >>> side >>> authn). The required behavior is to intercept the client request and >>> extract >>> the DN on the server side (in-bound), on which the authorization will >>> take >>> place. Whereby the DN/x.509 would be matched against some external entity >>> (ldap) where the DN/x.509 certs are stored. >>> >>> Is there any standard way to add interceptors on the client as well as on >>> the server side to authorize the user based on a particular DN/x.509 or >>> any >>> other credential? >>> >>> Thanks >>> Daku >>> >>> >>> >>> -- >>> View this message in context: >>> http://restlet-discuss.1400322.n2.nabble.com/fine-grained-authorization-based-on-DN-X-509-tp6444949p6444949.html >>> Sent from the Restlet Discuss mailing list archive at Nabble.com. >>> >>> -- >>> >>> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759025 >>> >> >> > -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759112
Re: fine grained authorization based on DN/X.509
Thanks for the reply. I have few comments on your reply. Usually the certificate received at the server side has atleast 2 certificates - one is a public key of the client and the rest are "n" trusted entries (in my case it is 1). As you have mentioned about the getRequest() method, where do you access it in a resource or in a application class? I am intercepting the requests in an application class (which extends from JaxRsApplication), whereby I am overriding the handle(req,res) method and and getting the desired attributes, is the following were you referring to?: public class MyJaxRsApplication extends JaxRsApplication{ @Override public void handle(Request request, Response response) { Map<String, Object> map = request.getAttributes(); @SuppressWarnings("unchecked") List lst = (List) map.get("org.restlet.https.clientCertificates"); //however the first item in the above list is the user's public key //here, delegation to the authorization PEP, PAP and PIP will be made } .. } Many thanks Daku -- View this message in context: http://restlet-discuss.1400322.n2.nabble.com/fine-grained-authorization-based-on-DN-X-509-tp6444949p6448938.html Sent from the Restlet Discuss mailing list archive at Nabble.com. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759531
Re: fine grained authorization based on DN/X.509
That's one way to do it, but it isn't the way I usually design my restlet applications. I do all of my authentication and authorization in subclasses of the restlet API classes, which are subclasses of filter. These typically sit in front of your resources in a filter chain, which you configure in your router set up in createInboundRoute in your subclass of Application. Steps 9-12 of http://www.restlet.org/documentation/2.0/tutorial have an example that may be useful to you. But if what you have works for your situation, then it looks like you're on the right track. It just may be harder to re-use your code in other restlet applications later on. -Matt On Tue, Jun 7, 2011 at 6:31 AM, lambda daku wrote: > Thanks for the reply. > > I have few comments on your reply. > > Usually the certificate received at the server side has atleast 2 > certificates - one is a public key of the client and the rest are "n" > trusted entries (in my case it is 1). > > As you have mentioned about the getRequest() method, where do you access it > in a resource or in a application class? I am intercepting the requests in > an application class (which extends from JaxRsApplication), whereby I am > overriding the handle(req,res) method and and getting the desired > attributes, is the following were you referring to?: > > public class MyJaxRsApplication extends JaxRsApplication{ > > @Override > public void handle(Request request, Response response) { > Map<String, Object> map = request.getAttributes(); > @SuppressWarnings("unchecked") > List lst = (List) > map.get("org.restlet.https.clientCertificates"); > //however the first item in the above list is the user's public key > //here, delegation to the authorization PEP, PAP and PIP will be made > } > .. > > } > > > Many thanks > Daku > > -- > View this message in context: > http://restlet-discuss.1400322.n2.nabble.com/fine-grained-authorization-based-on-DN-X-509-tp6444949p6448938.html > Sent from the Restlet Discuss mailing list archive at Nabble.com. > > -- > > http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759531 > -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759653