Announcement Announcement Module
Collapse
No announcement yet.
Certificate based authentication - progress? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Certificate based authentication - progress?

    Hi,

    I have noticed that in the 0.8.1-SNAPSHOT hosted in Maven, some wonderful person named Luke Taylor has submitted a client certificate authentication implementation. I was just about to write one, so this has saved me some work - thanks.

    I was wondering if this implementation is complete (for testing purposes) and if so, is there any supporting docco for these classes, as the JavaDoc seems a little light on the ground. If the classes are ready to go, you have found yourself a devoted tester .

    Cheers,
    Deakin.

  • #2
    Hi,

    There is still some work to be done on the code to tidy things up and I will also write some stuff for the documentation. I guess it's still in an "alpha" state. There is already an X.509 version of the contacts application which appeared to work OK but I need to generate a more appropriate set of certificates/keys for running it and add those to CVS. You can use the configuration there as a guideline for setting up your own web application.

    I've only run the code in JBoss 3.2.7 so far (i.e. Tomcat 5.0). The server.xml configuration looks like this

    Code:
          <!-- SSL/TLS Connector configuration -->
          <Connector port="8443" address="$&#123;jboss.bind.address&#125;"
               maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
               scheme="https" secure="true" 
               sslProtocol = "TLS"
    		   clientAuth="want" keystoreFile="$&#123;jboss.server.home.dir&#125;/conf/test.p12" 
    	       keystoreType="PKCS12" keystorePass="password"
    		   truststoreFile="$&#123;jboss.server.home.dir&#125;/conf/trust.p12" 
    		   truststoreType="PKCS12" truststorePass="password"
    		/>
    Test.p12 contains my server certificate and key (signed by a test CA) and trust.p12 contains the CA certificate.

    If you're comfortable messing about with openSSL and setting up server and client certificates then that is where most of the work is in getting things up and running.

    To start with, set "clientAuth=true" on the connector and get normal certificate authentication working with the container. Then try adding your webapp, copying the configuration from the contacts example. The X509ProcessingFilter will just pick out the certificate from the request and use it as the credetials for Acegi's authentication.

    http://acegisecurity.sourceforge.net...ref/index.html

    Since we know the certificate is valid (the container has authenticated it), the main concern of the X509AuthenticationProvider

    http://acegisecurity.sourceforge.net...nProvider.html

    is mapping the client certificate to the user's GrantedAuthorities which can be by Acegi. This is done by configuring an X509AuthoritiesPopulator

    http://acegisecurity.sourceforge.net...Populator.html

    At the moment we have provided a Dao-based implementation but you can use any mechanism you want.

    So feel free to give it a go if you want and let me know how you get on, or if you have any additional questions.

    Any feedback regarding requirements or enhancements also is very welcome.

    cheers,

    Luke.

    Comment


    • #3
      Thanks Luke, your reply is going to make this a lot quicker

      I am comfy with dealing with OpenSSL and the like, so I'll get the implementation going and provide you with feedback as I go along.

      Cheers,
      Deakin

      Comment


      • #4
        Good work Luke. Are there unit tests etc as yet, so I can release 0.8.1?

        Comment


        • #5
          Luke,

          I have run your code through some pretty tough testing and it seems to be holding up very well. Thanks for contributing the code, it works like a charm.

          Cheers,
          Deakin.

          Comment


          • #6
            Originally posted by Deakin
            Luke,

            I have run your code through some pretty tough testing and it seems to be holding up very well. Thanks for contributing the code, it works like a charm.

            Cheers,
            Deakin.
            Thanks for the update. Always nice to hear it's working OK for someone else . Are you using your own certificates/CA or the demo ones I uploaded with the contacts application?

            Any feedback on use with different containers would also be v. useful.

            cheers,

            Luke.

            Comment


            • #7
              No probs.

              I have tested it on Tomcat 5.5.4 (the only app server we use here) and with certificates generated by OpenSSL and keytool. I had no issues.

              I had to write a custom populator to use my Hibernate infrastructure and found the interface clean and simple to work with. Implementation is really very simple and painless. I can't think of any way to make it more simple or effective right now.

              It is heavily used now, so if it goes pop I'll work out why and post it here.

              Cheers,
              Deakin

              Comment


              • #8
                Originally posted by Deakin
                I had to write a custom populator to use my Hibernate infrastructure and found the interface clean and simple to work with. Implementation is really very simple and painless. I can't think of any way to make it more simple or effective right now.
                Thanks! We really appreciate feedback (good and bad), especially on new features or those that aren't being widely used.

                Comment

                Working...
                X