Announcement Announcement Module
No announcement yet.
cert based auth Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • cert based auth

    Hi all, I have searched for information on using the framework for cert based auth and have not been able to find any.

    Has anyone used this for cert based auth and are any pointers available?

  • #2
    It hasn't been done yet. Contributions welcome.


    • #3
      Okay, that is fine I am happy to give back any code that helps. But before I even start to spend time on this, I currently have a custom built webapp security framework that is adequately doing my security. I would however like to move to a more widely used and tested framework, and would also like to use the acegi for its declarative role based authorization but can live without it if the effort is more than a week or so's worth of work.

      Here are my requirements, and what my current framework provides me:

      1. Automatic redirection to https if http protocol, and also switching back to http once authenticated. (this is done up-front on the first request to
      attempt an eager login even on public pages, but only done once)
      2. Both support for cert based and password based auth, i.e if no cert provided a limited password based login will be permitted.
      3. If no login available an automatic registration that essentially serves as a limited password based login will be presented.
      4. If cert based auth ability to also validate against an outside data source (in my case a domino server)
      5. If password based auth the Ability to store an encrypted cookie with the login information for automatic relogin.
      6. Mixing of basic auth with the above mentioned auth type config for different internal and external URL's.

      So my questions are:

      1. Can these requirements be met by the current implementation of acegi.
      2. If not how much custom code is going to be required to make provision for these requirements.



      • #4
        I can't see any real issues with your requirements - you just need to write the necessary HTTP-level certificate request/response processors. Once they're in place, it's minimal plumbing (a couple of hours or so) to handle the remainder of your requirements. The highest risk (most complex) issue is writing the certificate handler, so I'd tackle that first. The good news is it will be of wide use to the community, so I'd be happy to look over your code etc and assist.