Version 5
Created by starksm64 on Oct 7, 2005 11:44 AM. Last modified by starksm64 on Feb 4, 2006 11:12 AM.

    Mapping the SSL X509Certificate{FOOTNOTE DEF  } to a Principal

    The principal passed to the security layer for authentication when CLIENT-CERT authentication is enabled is a function of the client cert. To control what name is extracted from the cert you can specify a CertificatePrincipal:

    package org.jboss.security.auth.certs;

/** An interface for converting an X509 cert to a Principal
 * 
 */
public interface CertificatePrincipal
{
   /**
    * Return the Principal associated with the specified chain of X509
    * client certificates.  If there is none, return <code>null</code>.
    *
    * @param certs Array of client certificates, with the first one in
    * the array being the certificate of the client itself.
    */
   public Principal toPrinicipal(X509Certificate[] certs);
}

     

    Implementations bundled with jboss include:

    • org.jboss.security.auth.certs.SerialNumberIssuerDNMapping - implementation that builds the principal name based on the cert serialNumber and issuerDN

    • org.jboss.security.auth.certs.SubjectCNMapping - implementation that uses the client cert SubjectDN CN='...' element as the principal.

    • org.jboss.security.auth.certs.SubjectDNMapping - implementation that uses the client cert SubjectDN as the principal.

    • org.jboss.security.auth.certs.SubjectX500Principal (4.0.4+) - implementation that uses the client cert SubjectX500Principal as the principal.

     

    The CertificatePrincipal is configured on the JBossWeb container by editing the jbossweb-tomcat.sar/server.xml and setting the certificatePrincipal attribute on the configured Realm:

             <!-- The JAAS based authentication and authorization realm implementation
         that is compatible with the jboss 3.2.x realm implementation.
         - certificatePrincipal : the class name of the
         org.jboss.security.auth.certs.CertificatePrincipal impl
         used for mapping X509[] cert chains to a Princpal.
         -->
         <Realm className="org.jboss.web.tomcat.security.JBossSecurityMgrRealm"
            certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
            ></Realm>
         <!-- A subclass of JBossSecurityMgrRealm that uses the authentication
         behavior of JBossSecurityMgrRealm, but overrides the authorization
         checks to use JACC permissions with the current java.security.Policy
         to determine authorized access.
         <Realm className="org.jboss.web.tomcat.security.JaccAuthorizationRealm"
            certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
            ></Realm>
         -->

     

    3724 Views Categories: Tags: