[security-dev] PicketLink Capabilities - Authentication

Bill Burke bburke at redhat.com
Thu Nov 29 11:18:47 EST 2012

On 11/29/2012 11:01 AM, Darran Lofthouse wrote:
> Hello Bill,
> On 11/29/2012 03:35 PM, Bill Burke wrote:
>> On 11/29/2012 6:13 AM, Darran Lofthouse wrote:
>>> Hello all,
>>> Just looking at how I could make use of PicketLink withing AS7 and have
>>> a couple of questions.
>>> For Digest based authentication mechanisms I see there is some initial
>>> support but I have a couple more requirements I will raise separately.
>>> The next area I am looking into is SSL and Client Cert style
>>> authentication - a couple of things I am interested in here is - is
>>> there a capability to take a certificate, validate it and then return
>>> the identity of the user from that certificate?  i.e. I am not looking
>>> to load the user first and then validate the certificate.
>> Its pretty simple to write.  I'll be writing LoginModule to support this
>> very soon (HTTPS only).  You just want cert validation right?  Do you
>> need access to the cert?  Or can you just get the principal String name?
> Whilst it is possible in most situations to identify a name from the
> certificate what I would like is to eliminate this if it is not strictly
> necessary.
> So at the connection level trust would have already been established on
> the connection as that negotiation process would have included
> verification with a X509TrustStore but then to identify the User I just
> want to pass in the Certificate and have the user returned - or
> something along those lines.

Ah, ok, I thought you were talking about something different.  I just 
had a need for a LoginModule that just pulled a verified cert and 
created a Principal using the X500Name of the verified client-cert.  No 
user lookup with any identity-manager (local or remote), just 
verification of the cert.

>>> Secondly in this area could it be conceivable to implement a
>>> X509TrustStore that is backed by PicketLink?  If we could obtain all
>>> validate certificates or the certificate of a CA we could create
>>> somethign in advance but I am interested in if we could have something
>>> more dynamic.
>> At least for HTTPS, I've found that JBossWeb does the validation of the
>> client-cert if you provide it a truststore.
> Yes that is the scenario I am looking into but rather than providing a
> file based truststore I want to be creating a SSLContext instance that
> is initialised using a X509TrustStore that is in turn backed by PicketLink.

That would be cool.  Then you could match up specific security domains 
to specific certificates.  In other words, create a mapping between 
security domains and various certificate attributes.  Then cert 
verification could be delegated to a security domain.

Good luck getting this ability in JBoss Web though :)  Personally I'm 
working around what's there.


Bill Burke
JBoss, a division of Red Hat

More information about the security-dev mailing list