This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.
No announcement yet.
Trusted Certificate AuthenticationPage Title Module
I'm not 100% on your question, so I'll deal with it in two parts.
First, if you mean can you use HTTPS transport layer security with Acegi Security, the answer is yes. Your HTTPS certificates can be signed by any certificate authority your client browsers trust. It's not an Acegi Security issue. However, I don't think that was your question. :-)
If you are asking can Acegi Security deal with client authentication using certificates, the answer is currently not. There is no technical reason Acegi Security wouldn't be able to authenticate client certificates, but we just haven't had the need for it as yet.
Acegi Security is highly pluggable, especially in terms of authentication approaches. This is demonstrated by the two layers of code related to authentication:
- The "extract the user's authentication request" layer. This is under net.sf.acegisecurity.ui. We can extract requests from a user form, BASIC authentication headers, a CAS service ticket response or even a web container or JNDI location. There are two types of classes in this layer. The first is an "entry point" which Acegi Security sends to the browser to start the authentication (eg redirect to the login form, send a BASIC authentication required header) and the second is the "response processing" which actually extracts the authentication request and presents it for an AuthenticationManager.
- The "pass the user's authentication request to a validation authority" layer. This is under net.sf.acegisecurity.providers. We can present the requests to a DAO-based authentication provider, a CAS service ticket validation provider, and a Dao-with-password authentication provider is being developed at present to handle such cases as LDAP binding.
Generally you can mix and match the layers. So you can collect an authentication request using BASIC authentication (first layer) and present it to the DAO provider (second layer). CAS is the exception as it needs to validate a special CAS obfuscated token.
Your requirement for client certificate authentication can easily be handled by writing an entry point and processor which belongs in the first layer.