Re: [security-dev] PicketLink Capabilities - Authentication
On 11/29/2012 11:01 AM, Darran Lofthouse wrote:
Hello Bill,
On 11/29/2012 03:35 PM, Bill Burke wrote:
>
>
> On 11/29/2012 6:13 AM, Darran Lofthouse wrote:
>> Hello all,
>>
>> Just looking at how I could make use of PicketLink withing AS7 and have
>> a couple of questions.
>>
>> For Digest based authentication mechanisms I see there is some initial
>> support but I have a couple more requirements I will raise separately.
>>
>> The next area I am looking into is SSL and Client Cert style
>> authentication - a couple of things I am interested in here is - is
>> there a capability to take a certificate, validate it and then return
>> the identity of the user from that certificate? i.e. I am not looking
>> to load the user first and then validate the certificate.
>
> Its pretty simple to write. I'll be writing LoginModule to support this
> very soon (HTTPS only). You just want cert validation right? Do you
> need access to the cert? Or can you just get the principal String name?
Whilst it is possible in most situations to identify a name from the
certificate what I would like is to eliminate this if it is not strictly
necessary.
So at the connection level trust would have already been established on
the connection as that negotiation process would have included
verification with a X509TrustStore but then to identify the User I just
want to pass in the Certificate and have the user returned - or
something along those lines.
Ah, ok, I thought you were talking about something different. I just
had a need for a LoginModule that just pulled a verified cert and
created a Principal using the X500Name of the verified client-cert. No
user lookup with any identity-manager (local or remote), just
verification of the cert.
>> Secondly in this area could it be conceivable to implement a
>> X509TrustStore that is backed by PicketLink? If we could obtain all
>> validate certificates or the certificate of a CA we could create
>> somethign in advance but I am interested in if we could have something
>> more dynamic.
>>
>
> At least for HTTPS, I've found that JBossWeb does the validation of the
> client-cert if you provide it a truststore.
Yes that is the scenario I am looking into but rather than providing a
file based truststore I want to be creating a SSLContext instance that
is initialised using a X509TrustStore that is in turn backed by PicketLink.
That would be cool. Then you could match up specific security domains
to specific certificates. In other words, create a mapping between
security domains and various certificate attributes. Then cert
verification could be delegated to a security domain.
Good luck getting this ability in JBoss Web though :) Personally I'm
working around what's there.
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com