> Certs work just like that.
I presume you mean the SSL-delivered X.509 certificate, which associates
an X.500 Distinguished Name with a public key.
> There is a standard way to access
> them from JAVA
I presume you're referring to section 5.7 of the Servlets spec version
2.2, which says to me that only vendor-specific ways are defined.
> and the browsers support them. If you're using a rdbms like
> Oracle (816),
> it can proxy a user into a group based on their certificate.
I find this surprising (I don't have Oracle 8.1.6, so I can't check this
out on my own right now). The X.509 certificate that comes in through SSL
only provides a *public* key, so the web server can't impersonate the web
client --- it can only say "I'm working on behalf of this guy, trust me on
this". Is Oracle really willing to accept that?
I know Oracle has "roles"; I'm not familiar with any other support for
"groups". By "proxy a user into a group" do you mean something like
"authenticate a user (who will naturally then have all his roles)"?
Of course, there are security technologies, such as SPKI, that provide
more general (than impersonation) delegation. To complete the picture,
you'd also need an agreement on how the necessary certificate sets are
passed in HTTP and how they're accessed from Servlets (I'd like to see
those agreements made). Plus, of course, a database that can work with
that technology.
Mike
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html