Announcement Announcement Module
No announcement yet.
Trusted Certificate Authentication Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Trusted Certificate Authentication

    Will Acegi work with a local certificate authority? I guess it really uses PKI encription.

  • #2
    I'm not 100% on your question, so I'll deal with it in two parts.

    First, if you mean can you use HTTPS transport layer security with Acegi Security, the answer is yes. Your HTTPS certificates can be signed by any certificate authority your client browsers trust. It's not an Acegi Security issue. However, I don't think that was your question. :-)

    If you are asking can Acegi Security deal with client authentication using certificates, the answer is currently not. There is no technical reason Acegi Security wouldn't be able to authenticate client certificates, but we just haven't had the need for it as yet.

    Acegi Security is highly pluggable, especially in terms of authentication approaches. This is demonstrated by the two layers of code related to authentication:

    - The "extract the user's authentication request" layer. This is under net.sf.acegisecurity.ui. We can extract requests from a user form, BASIC authentication headers, a CAS service ticket response or even a web container or JNDI location. There are two types of classes in this layer. The first is an "entry point" which Acegi Security sends to the browser to start the authentication (eg redirect to the login form, send a BASIC authentication required header) and the second is the "response processing" which actually extracts the authentication request and presents it for an AuthenticationManager.

    - The "pass the user's authentication request to a validation authority" layer. This is under net.sf.acegisecurity.providers. We can present the requests to a DAO-based authentication provider, a CAS service ticket validation provider, and a Dao-with-password authentication provider is being developed at present to handle such cases as LDAP binding.

    Generally you can mix and match the layers. So you can collect an authentication request using BASIC authentication (first layer) and present it to the DAO provider (second layer). CAS is the exception as it needs to validate a special CAS obfuscated token.

    Your requirement for client certificate authentication can easily be handled by writing an entry point and processor which belongs in the first layer.


    • #3
      Many thanks.