geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <j...@apache.org>
Subject [jira] Commented: (GERONIMO-4779) Add cert authentication support for Jetty7 module
Date Fri, 31 Jul 2009 03:58:15 GMT

    [ https://issues.apache.org/jira/browse/GERONIMO-4779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12737413#action_12737413
] 

David Jencks commented on GERONIMO-4779:
----------------------------------------

Previously we were using a login module that accepted CertificateCallbacks.  However, once
SSL has accepted the client certificate, there is nothing further we can reasonably do to
authenticate them.  All we can do is install some principals into the subject.  The jetty
(and IIUC until Jarek changed it) tomcat client cert authenticators however are not supplying
certifactes but the x509 names from them.

I think the best approack is a new login module that just adds principals to the subject for
recognized users.  This is also needed for stuff like openid where the authentication happens
entirely externally and the only info we get is the useris identity and we have to assign
prinipcals that map to roles.

> Add cert authentication support for Jetty7 module
> -------------------------------------------------
>
>                 Key: GERONIMO-4779
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4779
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 2.2
>            Reporter: Ivan
>             Fix For: 2.2
>
>         Attachments: Geronimo-4776.patch
>
>
> Current, jetty module does not support client-cert authentication

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message