>> Next I wanted to get user Id from connection
>> (connection_.getAuthenticatedUsername()) but I always got "dummy"
>> string. I traced that to SslConnector.cpp (getSecuritySettings
>> function) where the string is hardcoded. Is there a way to get user id
>> (certificate nickname) from this function?
>> I tried to add this functionality myself:
>> In SslSocket.cpp:
>> std::string SslSocket::getCertNickname() const
>> {
>> std::string nickname;
>> CERTCertificate* cert = SSL_LocalCertificate(nssSocket);
>> if (cert) {
>> nickname = cert->nickname;
>> CERT_DestroyCertificate(cert);
>> }
>> return nickname;
>> }
>> There is already function getClientAuthId but on client side this
>> returns server cert domain (which in my case is the same as
>> gettingserver cert nickname - not certain if that is always the
>> case)...
>> In SslConnector.cpp function getSecuritySettings():
>>
>> std::string nickname(socket.getCertNickname());
>> securitySettings.authid = (nickname.size() ? nickname + "@QPID" :
>> "dummy"); //"dummy";//set to non-empty string to enable external
>> authentication
>>
>> I'm not certain if this solution is OK/would be something that would
>> be accepted by qpid devs?
>
>
> I think it is mostly right, but instead of using the nickname, it should
> extract the identity from the local certificate in the same way the server
> will.
>
> I.e. we need a similar method to SslSocket::getClientAuthId() (which was a
> poor choice of name, getPeerAuthId() might have been better) but use the
> SSL_LocalCertificate rather than the SSL_PeerCertificate.
>
> We would be very grateful for a contribution that fixed this problem.
I've changed the code and opened a issue report with patches:
https://issues.apache.org/jira/browse/QPID-7130
>> Also there is an issue that "@QPID" part is hardcoded and I'm not
>> certain if this is always true.
>
>
> This part shouldn't even be needed.
You're right. Haven't noticed that.
Thanks,
Domen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
For additional commands, e-mail: users-h...@qpid.apache.org
