i am trying to to create a Login mechanism that uses ClientCertificates and Username/Password techniques.
What i got right now is a Tomcat check if the Certificate is valid and a login via Username/Password. What i need is a way to actually access the Certificate to not only check its validity, but also its relation to the Username.
I have a web page named I.com there are Alice and Bob who want access to the private part of the page. Both of them provide valid Usernames and passwords, but Bob stole Alices Certificate and tries to login with that Certificate.
My current implementation submits both to the private area since both provide valid credentials (Alice with Username=Alice, Password=Alice, Certificate=Alice; Bob with Username=Bob, Password=Bob, Certificate=Alice) and the Certficate is not crosschecked with the Username.
Now I need a way to grab the Certificate and check it against the provided username and password, seeing if the person logging in is the person the certificate was made for, so that Bob in the example above would not be submitted, because of the Certificate not matching his other credentials.
Thanks for your help.
More or less, I'm facing the same problem
Is there any solution for this?
Is it possibile to read the client certificate with SEAM, using SEAM security thus avoiding JavaEE security?