Authenticate with an x509 certificate against an ldap

[stieuma]

Hello,
I have to do (with Spring Security 3) a user authentication in my application with an x509 certificate contained in a USB device.
My constraints are:
- My Tomcat Application Server is behind a front-end Apache server. But there is no HTTPS / SSL neither on Tomcat, nor on Apache, because the 2 servers are behind an IPS (Intrusion Prevention System) which is in a DMZ, and HTTPS is enabled only in the area.
- Authentication and authorization must be made through an LDAP directory.
Since there is no HTTPS on Tomcat (and no HTTPS on Apache, so no possibility to forward SSL data), I guess what I need is not quite the X509 authentication provided by Spring Security, am I right?

I thought to authenticate checking the validity of the client's certificate by comparing it with the version stored in the ldap (or checking some data from the certificate against the directory), then check auhorizations in the ldap for the user whose certificate has been verified.
But I fail to do this: I have a config that works for authentication by login/password against a ldap, and I try to adapt this config (which is very simple).
Here is my config for Ldap authentication with login/password :

Code:

    <sec:http>
        <sec:intercept-url pattern="/**" access="ROLE_ADMIN" />
        <sec:http-basic />
    </sec:http>
	
	<sec:ldap-server url="ldap://localhost:389/o=tammis"
			manager-dn="cn=ldapManager,o=tammis"
                        manager-password="pwd123" />

	<sec:authentication-manager>
	        <sec:ldap-authentication-provider  
	        		user-search-filter="(uid={0})"
	        		user-search-base="ou=users"
	        		group-search-filter="(uniqueMember={0})"
	        		group-search-base="ou=groups"
	        		group-role-attribute="cn" />
	</sec:authentication-manager>

How can I switch from this config for an authentication with login/password against an ldap, to a config to authenticate the user against an LDAP using the information of his certificate ?
Is there a standard mechanism, or do I have to develop my own objects (UsersDetails, LdapAuthoritiesPopulator, ...)

Thanx in advance

Stieuma

[marcelstoer]

Hhmm, I think with your setup I'd do the X.509 authentication on Apache instead of Spring Security.

[stieuma]

Hhmm, I think with your setup I'd do the X.509 authentication on Apache instead of Spring Security.

No possible because Spring Security does Authent AND Authorizations check (using roles)

[stieuma]

Finally, I did it with a custom authentication provider, and a custom preauthenticated filter.

[stimpy]

Stieuma

I would agree with Marcel . I just implemented x509 certs with LDAP authorities.

I am not sure what the x509 certificate is supposed to accomplish without SSL/TLS negotiation. As far I I know Spring does not do this negotiation. Without SSL/TLS and a system using RA you have no encryption and the certificate is no better then reading a file .

In my case I configured my x509 SSL/TLS connection on tomcat and once a SSL connection is established I using spring to extract the CN and match that against the LDAP server so I know that you can sperate the authentication from the authorities.

In your case it seems you need to investigate a CAS or SSO setup where you establish authentication at one point and then get authorities at another. The spring security book covers these scenarios and I used it as a starting point.

[warrenc5]

Right Job, wrong tool. The problem with a spring concentric viewport is you don't even consider the fact that JAVA & JEE has this security mechanism designed "directly" into the specification and is compliant with the java security manager concept and accessible through context propagation and J.A.A.S. authenticator in the Servlet engine. If in doubt read the spec.

JSR 318: Enterprise JavaBeansTM,Version 3.1

15.8Security Interoperability.................................. ................................................ 418
15.8.1.1 Trust Relationships Between Containers, Principal Propagation419
15.8.1.2 Application Client Authentication.................................... .. 420


Btw, Thank god sun designed Java before Oracle takeover.