[security-dev] PicketLink Capabilities - Authentication
bburke at redhat.com
Thu Nov 29 11:18:47 EST 2012
On 11/29/2012 11:01 AM, Darran Lofthouse wrote:
> Hello Bill,
> On 11/29/2012 03:35 PM, Bill Burke wrote:
>> On 11/29/2012 6:13 AM, Darran Lofthouse wrote:
>>> Hello all,
>>> Just looking at how I could make use of PicketLink withing AS7 and have
>>> a couple of questions.
>>> For Digest based authentication mechanisms I see there is some initial
>>> support but I have a couple more requirements I will raise separately.
>>> The next area I am looking into is SSL and Client Cert style
>>> authentication - a couple of things I am interested in here is - is
>>> there a capability to take a certificate, validate it and then return
>>> the identity of the user from that certificate? i.e. I am not looking
>>> to load the user first and then validate the certificate.
>> Its pretty simple to write. I'll be writing LoginModule to support this
>> very soon (HTTPS only). You just want cert validation right? Do you
>> need access to the cert? Or can you just get the principal String name?
> Whilst it is possible in most situations to identify a name from the
> certificate what I would like is to eliminate this if it is not strictly
> So at the connection level trust would have already been established on
> the connection as that negotiation process would have included
> verification with a X509TrustStore but then to identify the User I just
> want to pass in the Certificate and have the user returned - or
> something along those lines.
Ah, ok, I thought you were talking about something different. I just
had a need for a LoginModule that just pulled a verified cert and
created a Principal using the X500Name of the verified client-cert. No
user lookup with any identity-manager (local or remote), just
verification of the cert.
>>> Secondly in this area could it be conceivable to implement a
>>> X509TrustStore that is backed by PicketLink? If we could obtain all
>>> validate certificates or the certificate of a CA we could create
>>> somethign in advance but I am interested in if we could have something
>>> more dynamic.
>> At least for HTTPS, I've found that JBossWeb does the validation of the
>> client-cert if you provide it a truststore.
> Yes that is the scenario I am looking into but rather than providing a
> file based truststore I want to be creating a SSLContext instance that
> is initialised using a X509TrustStore that is in turn backed by PicketLink.
That would be cool. Then you could match up specific security domains
to specific certificates. In other words, create a mapping between
security domains and various certificate attributes. Then cert
verification could be delegated to a security domain.
Good luck getting this ability in JBoss Web though :) Personally I'm
working around what's there.
JBoss, a division of Red Hat
More information about the security-dev