fine grained authorization based on DN/X.509
Hi, I have a Restlet application running on jetty usiing https (with client side authn). The required behavior is to intercept the client request and extract the DN on the server side (in-bound), on which the authorization will take place. Whereby the DN/x.509 would be matched against some external entity (ldap) where the DN/x.509 certs are stored. Is there any standard way to add interceptors on the client as well as on the server side to authorize the user based on a particular DN/x.509 or any other credential? Thanks Daku -- View this message in context: http://restlet-discuss.1400322.n2.nabble.com/fine-grained-authorization-based-on-DN-X-509-tp6444949p6444949.html Sent from the Restlet Discuss mailing list archive at Nabble.com. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759025
Re: fine grained authorization based on DN/X.509
There are two steps here, authenticating the client cert, and authorizing
the user, which correspond to the org.restlet.routing.filter.Authenticator
and org.restlet.routing.filter.Authorizer classes. These sit in front of the
resource you are controlling access to. In the cases of client
certificates, the authenticator is really merely checking for the existence
of client certs available on the connection, the SSL layer has already
"verified" them and stashed them where restlet can access them, which is:
getRequest().getAttributes().get("org.restlet.https.clientCertificates"),
which gives you a list (usually of length 1) of
java.security.cert.X509Certificate objects I think.
You can use that to get the DN, and then I would put that in a field of the
restlet User object or a custom subclass thereof. Then when it gets to your
authorizer, you use the DN you pulled off the cert to query an LDAP to
determine if the user can do what they are attempting or not.
This is a good place to start research. I could have sworn that at one
point Bruno Harbulot had posted a patch for a ClientCertAuthenticator.java
to the issue tracker, but I have no clue what happened to it.
-Matt
On Mon, Jun 6, 2011 at 8:44 AM, lambda daku wrote:
> Hi,
>
> I have a Restlet application running on jetty usiing https (with client
> side
> authn). The required behavior is to intercept the client request and
> extract
> the DN on the server side (in-bound), on which the authorization will take
> place. Whereby the DN/x.509 would be matched against some external entity
> (ldap) where the DN/x.509 certs are stored.
>
> Is there any standard way to add interceptors on the client as well as on
> the server side to authorize the user based on a particular DN/x.509 or any
> other credential?
>
> Thanks
> Daku
>
>
>
> --
> View this message in context:
> http://restlet-discuss.1400322.n2.nabble.com/fine-grained-authorization-based-on-DN-X-509-tp6444949p6444949.html
> Sent from the Restlet Discuss mailing list archive at Nabble.com.
>
> --
>
> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759025
>
--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759110
Re: fine grained authorization based on DN/X.509
Sorry, forgot to include the link:
http://wiki.restlet.org/docs_1.1/13-restlet/27-restlet/46-restlet.html
On Mon, Jun 6, 2011 at 2:20 PM, Matt Kennedy wrote:
> There are two steps here, authenticating the client cert, and authorizing
> the user, which correspond to the org.restlet.routing.filter.Authenticator
> and org.restlet.routing.filter.Authorizer classes. These sit in front of the
> resource you are controlling access to. In the cases of client
> certificates, the authenticator is really merely checking for the existence
> of client certs available on the connection, the SSL layer has already
> "verified" them and stashed them where restlet can access them, which is:
> getRequest().getAttributes().get("org.restlet.https.clientCertificates"),
> which gives you a list (usually of length 1) of
> java.security.cert.X509Certificate objects I think.
>
> You can use that to get the DN, and then I would put that in a field of the
> restlet User object or a custom subclass thereof. Then when it gets to your
> authorizer, you use the DN you pulled off the cert to query an LDAP to
> determine if the user can do what they are attempting or not.
>
> This is a good place to start research. I could have sworn that at one
> point Bruno Harbulot had posted a patch for a ClientCertAuthenticator.java
> to the issue tracker, but I have no clue what happened to it.
>
> -Matt
>
>
>
>
>
> On Mon, Jun 6, 2011 at 8:44 AM, lambda daku wrote:
>
>> Hi,
>>
>> I have a Restlet application running on jetty usiing https (with client
>> side
>> authn). The required behavior is to intercept the client request and
>> extract
>> the DN on the server side (in-bound), on which the authorization will take
>> place. Whereby the DN/x.509 would be matched against some external entity
>> (ldap) where the DN/x.509 certs are stored.
>>
>> Is there any standard way to add interceptors on the client as well as on
>> the server side to authorize the user based on a particular DN/x.509 or
>> any
>> other credential?
>>
>> Thanks
>> Daku
>>
>>
>>
>> --
>> View this message in context:
>> http://restlet-discuss.1400322.n2.nabble.com/fine-grained-authorization-based-on-DN-X-509-tp6444949p6444949.html
>> Sent from the Restlet Discuss mailing list archive at Nabble.com.
>>
>> --
>>
>> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759025
>>
>
>
--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759111
Re: fine grained authorization based on DN/X.509
And that was the wrong link, sorry:
http://wiki.restlet.org/docs_2.0/13-restlet/27-restlet/46-restlet.html
On Mon, Jun 6, 2011 at 2:21 PM, Matt Kennedy wrote:
> Sorry, forgot to include the link:
> http://wiki.restlet.org/docs_1.1/13-restlet/27-restlet/46-restlet.html
>
>
> On Mon, Jun 6, 2011 at 2:20 PM, Matt Kennedy wrote:
>
>> There are two steps here, authenticating the client cert, and authorizing
>> the user, which correspond to the org.restlet.routing.filter.Authenticator
>> and org.restlet.routing.filter.Authorizer classes. These sit in front of the
>> resource you are controlling access to. In the cases of client
>> certificates, the authenticator is really merely checking for the existence
>> of client certs available on the connection, the SSL layer has already
>> "verified" them and stashed them where restlet can access them, which is:
>> getRequest().getAttributes().get("org.restlet.https.clientCertificates"),
>> which gives you a list (usually of length 1) of
>> java.security.cert.X509Certificate objects I think.
>>
>> You can use that to get the DN, and then I would put that in a field of
>> the restlet User object or a custom subclass thereof. Then when it gets to
>> your authorizer, you use the DN you pulled off the cert to query an LDAP to
>> determine if the user can do what they are attempting or not.
>>
>> This is a good place to start research. I could have sworn that at one
>> point Bruno Harbulot had posted a patch for a ClientCertAuthenticator.java
>> to the issue tracker, but I have no clue what happened to it.
>>
>> -Matt
>>
>>
>>
>>
>>
>> On Mon, Jun 6, 2011 at 8:44 AM, lambda daku wrote:
>>
>>> Hi,
>>>
>>> I have a Restlet application running on jetty usiing https (with client
>>> side
>>> authn). The required behavior is to intercept the client request and
>>> extract
>>> the DN on the server side (in-bound), on which the authorization will
>>> take
>>> place. Whereby the DN/x.509 would be matched against some external entity
>>> (ldap) where the DN/x.509 certs are stored.
>>>
>>> Is there any standard way to add interceptors on the client as well as on
>>> the server side to authorize the user based on a particular DN/x.509 or
>>> any
>>> other credential?
>>>
>>> Thanks
>>> Daku
>>>
>>>
>>>
>>> --
>>> View this message in context:
>>> http://restlet-discuss.1400322.n2.nabble.com/fine-grained-authorization-based-on-DN-X-509-tp6444949p6444949.html
>>> Sent from the Restlet Discuss mailing list archive at Nabble.com.
>>>
>>> --
>>>
>>> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759025
>>>
>>
>>
>
--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759112
Re: fine grained authorization based on DN/X.509
Thanks for the reply.
I have few comments on your reply.
Usually the certificate received at the server side has atleast 2
certificates - one is a public key of the client and the rest are "n"
trusted entries (in my case it is 1).
As you have mentioned about the getRequest() method, where do you access it
in a resource or in a application class? I am intercepting the requests in
an application class (which extends from JaxRsApplication), whereby I am
overriding the handle(req,res) method and and getting the desired
attributes, is the following were you referring to?:
public class MyJaxRsApplication extends JaxRsApplication{
@Override
public void handle(Request request, Response response) {
Map<String, Object> map = request.getAttributes();
@SuppressWarnings("unchecked")
List lst = (List)
map.get("org.restlet.https.clientCertificates");
//however the first item in the above list is the user's public key
//here, delegation to the authorization PEP, PAP and PIP will be made
}
..
}
Many thanks
Daku
--
View this message in context:
http://restlet-discuss.1400322.n2.nabble.com/fine-grained-authorization-based-on-DN-X-509-tp6444949p6448938.html
Sent from the Restlet Discuss mailing list archive at Nabble.com.
--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759531
Re: fine grained authorization based on DN/X.509
That's one way to do it, but it isn't the way I usually design my restlet
applications.
I do all of my authentication and authorization in subclasses of the restlet
API classes, which are subclasses of filter. These typically sit in front
of your resources in a filter chain, which you configure in your router set
up in createInboundRoute in your subclass of Application.
Steps 9-12 of http://www.restlet.org/documentation/2.0/tutorial have an
example that may be useful to you. But if what you have works for your
situation, then it looks like you're on the right track. It just may be
harder to re-use your code in other restlet applications later on.
-Matt
On Tue, Jun 7, 2011 at 6:31 AM, lambda daku wrote:
> Thanks for the reply.
>
> I have few comments on your reply.
>
> Usually the certificate received at the server side has atleast 2
> certificates - one is a public key of the client and the rest are "n"
> trusted entries (in my case it is 1).
>
> As you have mentioned about the getRequest() method, where do you access it
> in a resource or in a application class? I am intercepting the requests in
> an application class (which extends from JaxRsApplication), whereby I am
> overriding the handle(req,res) method and and getting the desired
> attributes, is the following were you referring to?:
>
> public class MyJaxRsApplication extends JaxRsApplication{
>
> @Override
> public void handle(Request request, Response response) {
> Map<String, Object> map = request.getAttributes();
> @SuppressWarnings("unchecked")
> List lst = (List)
> map.get("org.restlet.https.clientCertificates");
> //however the first item in the above list is the user's public key
> //here, delegation to the authorization PEP, PAP and PIP will be made
> }
> ..
>
> }
>
>
> Many thanks
> Daku
>
> --
> View this message in context:
> http://restlet-discuss.1400322.n2.nabble.com/fine-grained-authorization-based-on-DN-X-509-tp6444949p6448938.html
> Sent from the Restlet Discuss mailing list archive at Nabble.com.
>
> --
>
> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759531
>
--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2759653
