Announcement Announcement Module
No announcement yet.
Authentication X509 + LDAP Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Authentication X509 + LDAP

    Hi all, I just want to share my thoughts to see if they are right:

    Currently with Acegi you can use authentication based on x509 certificates (well, the container makes the first authentication and later you can make a second validation) or you can use authentication based on LDAP (username + password).

    What I want is: The user presents a certificate and the container accepts it, but I don't want to trust the container. I want to take the certificate the user presented and, using authentication SASL External (see
    HTML Code:
    section "Client Authentication: Using SSL with the External SASL Mechanism"), try to bind with the LDAP.

    In other words, I don't want to bind with LDAP using simple authentication (username + password) but using SSL Authentication (presenting my x509 certificate). If it worked I wanted to share it with everybody and even add it to Acegi funcionality, but...

    Right now I've coded a simple class which binds successfully with the LDAP server using SSL. But when I tried to integrate with Acegi I realized a very big problem... With Acegi I'm able to extract information about the x509 user's certificate, but that doesn't mean I'm able to authenticate against the LDAP server, because I don't have the private key... is it right?

    In other words... the x509 certificate represents the principal, but I don't have its credentials (private key), so it's impossible I can authenticate against the LDAP server...

    If this is right, then I have a second problem... my presentation layer is going to make some calls to external web services and I need to be authenticated. When I used user + password authentication, I didn't have problem, because I could authenticate against the WS server using Basic (or even digest) authentication (the credentials traveled from the client to the presentation layer server and then to the WS server) but now I don't know how to do it because the credentials (private key) always keep in the client machine...

    Please, anybody could confirm if am I right? or if I am wrong... could anyboyd point me in the right direction?

    Many thanks in advance,

    Josť Luis.

  • #2
    I'm not quite sure what you mean when you say you "don't want to trust the container"... Why is that? Presumably that's where your app is running, so you would have to trust it? Isn't it the container which is trying to establish the trust of the client in this case?

    If you are worried about the passing of information between the container and directory, then that seems more like an issue of establishing a secure connection between the two, not from the client to the directory.

    The validity of the client's certificate from the app's perspective can be checked by comparing it with the version stored in the directory (or checking some data from the certificate against the directory). The client will already have verified that they have the private key for the certificate during the SSL negotiation with the container.


    • #3
      Originally posted by Luke
      I'm not quite sure what you mean when you say you "don't want to trust the container"... Why is that? Presumably that's where your app is running, so you would have to trust it? Isn't it the container which is trying to establish the trust of the client in this case?
      Well, I'll try to explain... we want our application to be as much independent of the container as we can. In this sense, Acegi's choice was a great decision. Now we want to authenticate the client using x509 with the same philosophy, but this is not entirely possible because the container stablish the SSL connection. So, we have configured Tomcat just to ask for a certificate (clientAuth="want") and then we wanted to verify it against the LDAP server (binding with SASL) which we consider as a part of our app.

      I was wrong in one point, because I thought when Tomcat is just asking for a certificate, it doesn't make any kind of validation (so the app should do it), but that's not true. Even in that case, the client must present a valid certificate (Tomcat must trust in the CA that signed the certificate and the client must own the corresponding private key).

      So, I can live without authenticating against the LDAP, but my real problem is bigger than that... When you use user + password authentication, your system can authenticate in your name against a third system (say for example a web service) using basic, digest or even WS-Security with username + password token. And then, the third system can decide what you can do basing on your roles. But, if you authenticate using X509 with your system, how can it authenticate in your name against the other system?

      Anybody knows how WS-Security works? Because I think it's a very common scenary. You authenticate against a webapp and that app is making remote calls to web services in your name... how can the webapp pass your credentials? I'm only able to find very basic examples based on username + password, but I can't find any working example with certificates

      Thanks anyway for your help.

      Josť Luis.