If you download our Perl objects @
http://www.extropia.com/development/webware2/webware2.html, I have an
AuthManager::Certificate which implements client certificate authentication.
Probably the best place to download the code for that is on the
extropiaperl project at sourceforge if you want to see the implementation.
It's actually "trivial" because mod_ssl will decode the certificate into
extra environment variables indicating stuff like the DN of the user. It's
a requirement of SSL to make sure the certificate is valid based on the
certificate's signature(s). At that point, then you need to deal with
certificate revocation which is another matter. A lot of servers back up
certificate authentication with LDAP.
So the client sends the cert which verifies that they are who they say they
are, but LDAP needs to be used to actually get the relevant authorization
information out. If you use the framework we have, that is accomplished by
configuring the use of AuthManager::Certificate against Auth::LDAP.
Auth::Cache::Session can optionally be used to speed up the process.
Chapter 20 on the link I gave you has details on why we broke up the
modules the way we did.
Note that this is not to be confused with a handler. This is application
level logic. mod_ssl already handles certificate decoding so you really
don't need a handler anymore. At that point it seems like app logic to take
the user and figure out what you want them to do.
Of course, you can code authorization info into a cert like the roles that
they are intended for. But I think that's IMHO, a really BAD way to do it
because you have to revoke the cert to change the permissions of the user.
Best to leave the cert to identify the user and allow a dynamic datastore
to determine what they can do in most cases.
Later,
Gunther
PS The hard part about client certificates isn't using them, its managing
them and the customers that use them.
At 11:00 AM 3/13/01 +, [EMAIL PROTECTED] wrote:
I am looking for a module that will allow me to use Client
Certificates to authenticate the users. I am pretty sure I have come
accros this before, but I cannot find it anywhere. Anybody know where
I can find this.
I have seached CPAN for 'cert', 'authen' and 'client', but unless I
am overlooking something there doesn't seem to be anything there.
Thank you very much.
Kees Vonk
Mailing Code 3
Joule 1 - Ground Floor
Wharf Lane
Solihull
Internal:
Phone:
7249 27705
E-Mail:
Kees Vonk/KV002/Solihull/Transco
Home Page:
https://rep1prod:8081/
External:
Phone:
0121 - 705 7581 ext. 27705
E-Mail:
[EMAIL PROTECTED]
__
The views expressed in this email are not necessarily the views of
Transco plc, and the company, its directors, officers or employees
make no representation or accept any liability for its accuracy or
completeness unless expressly stated to the contrary.
This e-mail, and any attachments are strictly confidential and
intended for the addressee(s) only. The content may also contain
legal, professional or other privileged information. If you are not
the intended recipient, could you please notify the sender
immediately and then delete the e-mail and any attachments, you
should not disclose, copy or take any action in reliance of this
transmission. Unless expressly stated to the contrary, no contracts
may be concluded on behalf of Transco plc by means of e-mail
communication.
You may report the matter by calling us on +44 (0)1455 230999.
You should not copy, forward or otherwise disclose the contents of
this e-mail or any of its attachments without express consent.
Please ensure you have adequate virus protection before you open or
detach any documents from this transmission. Transco plc does not
accept any liability for viruses.
Transco plc is part of Lattice Group
Transco plc is registered in England: Company number: 2006000
Registered Office: 130 Jermyn Street, London, SW1Y 4UR
http://www.transco.uk.com
__
Gunther Birznieks ([EMAIL PROTECTED])
eXtropia - The Web Technology Company
http://www.extropia.com/
