Certificate based authentication - progress?

**Deakin** · Mar 15th, 2005, 11:09 PM

Hi,

I have noticed that in the 0.8.1-SNAPSHOT hosted in Maven, some wonderful person named Luke Taylor has submitted a client certificate authentication implementation. I was just about to write one, so this has saved me some work - thanks.

I was wondering if this implementation is complete (for testing purposes) and if so, is there any supporting docco for these classes, as the JavaDoc seems a little light on the ground. If the classes are ready to go, you have found yourself a devoted tester

.

Cheers,
Deakin.

**Luke Taylor** · Mar 16th, 2005, 10:23 AM

Hi,

There is still some work to be done on the code to tidy things up and I will also write some stuff for the documentation. I guess it's still in an "alpha" state. There is already an X.509 version of the contacts application which appeared to work OK but I need to generate a more appropriate set of certificates/keys for running it and add those to CVS. You can use the configuration there as a guideline for setting up your own web application.

I've only run the code in JBoss 3.2.7 so far (i.e. Tomcat 5.0). The server.xml configuration looks like this

Code:

      <!-- SSL/TLS Connector configuration -->
      <Connector port="8443" address="$&#123;jboss.bind.address&#125;"
           maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
           scheme="https" secure="true" 
           sslProtocol = "TLS"
		   clientAuth="want" keystoreFile="$&#123;jboss.server.home.dir&#125;/conf/test.p12" 
	       keystoreType="PKCS12" keystorePass="password"
		   truststoreFile="$&#123;jboss.server.home.dir&#125;/conf/trust.p12" 
		   truststoreType="PKCS12" truststorePass="password"
		/>

Test.p12 contains my server certificate and key (signed by a test CA) and trust.p12 contains the CA certificate.

If you're comfortable messing about with openSSL and setting up server and client certificates then that is where most of the work is in getting things up and running.

To start with, set "clientAuth=true" on the connector and get normal certificate authentication working with the container. Then try adding your webapp, copying the configuration from the contacts example. The X509ProcessingFilter will just pick out the certificate from the request and use it as the credetials for Acegi's authentication.

http://acegisecurity.sourceforge.net...ref/index.html

Since we know the certificate is valid (the container has authenticated it), the main concern of the X509AuthenticationProvider

http://acegisecurity.sourceforge.net...nProvider.html

is mapping the client certificate to the user's GrantedAuthorities which can be by Acegi. This is done by configuring an X509AuthoritiesPopulator

http://acegisecurity.sourceforge.net...Populator.html

At the moment we have provided a Dao-based implementation but you can use any mechanism you want.

So feel free to give it a go if you want and let me know how you get on, or if you have any additional questions.

Any feedback regarding requirements or enhancements also is very welcome.

cheers,

Luke.

**Deakin** · Mar 16th, 2005, 08:33 PM

Thanks Luke, your reply is going to make this a lot quicker

I am comfy with dealing with OpenSSL and the like, so I'll get the implementation going and provide you with feedback as I go along.

Cheers,
Deakin

**Ben Alex** · Mar 17th, 2005, 05:16 PM

Good work Luke. Are there unit tests etc as yet, so I can release 0.8.1?

**Deakin** · Mar 28th, 2005, 06:39 AM

Luke,

I have run your code through some pretty tough testing and it seems to be holding up very well. Thanks for contributing the code, it works like a charm.

Cheers,
Deakin.

**Luke Taylor** · Mar 28th, 2005, 08:35 AM

Originally Posted by Deakin

Luke,

I have run your code through some pretty tough testing and it seems to be holding up very well. Thanks for contributing the code, it works like a charm.

Cheers,
Deakin.

Thanks for the update. Always nice to hear it's working OK for someone else

. Are you using your own certificates/CA or the demo ones I uploaded with the contacts application?

Any feedback on use with different containers would also be v. useful.

cheers,

Luke.

**Deakin** · Mar 28th, 2005, 04:55 PM

No probs.

I have tested it on Tomcat 5.5.4 (the only app server we use here) and with certificates generated by OpenSSL and keytool. I had no issues.

I had to write a custom populator to use my Hibernate infrastructure and found the interface clean and simple to work with. Implementation is really very simple and painless. I can't think of any way to make it more simple or effective right now.

It is heavily used now, so if it goes pop I'll work out why and post it here.

Cheers,
Deakin

**Ben Alex** · Mar 29th, 2005, 06:57 PM

Originally Posted by Deakin

I had to write a custom populator to use my Hibernate infrastructure and found the interface clean and simple to work with. Implementation is really very simple and painless. I can't think of any way to make it more simple or effective right now.

Thanks! We really appreciate feedback (good and bad), especially on new features or those that aren't being widely used.

Thread: Certificate based authentication - progress?

Thread Tools

Display

Certificate based authentication - progress?

Similar Threads

Problem: SecureContextImpl reused in subsequent session

Loosing my SecureContext

Method call why not be intercepted by MethodSecurityIntercep

Timeout and the Login pages with Form based authentication

Posting Permissions