You are viewing a plain text version of this content. The canonical link for it is here.
Posted to ftpserver-dev@incubator.apache.org by Niklas Gustavsson <ni...@protocol7.com> on 2006/11/28 21:56:05 UTC
Re: [jira] Created: (FTPSERVER-52) Add onLoginFail() to Ftplet
interface
What do you all think of this RFE? I would be happy to add the
onLoginFail() method to the FtpLet interface if you don't disagree.
I would be more reluctant to add in the IP in the UserManager, that
doesn't seem like the right place to allow users to extend functionality
for handling an event like this.
/niklas
Clinton Foster (JIRA) wrote:
> Add onLoginFail() to Ftplet interface
> -------------------------------------
>
> Key: FTPSERVER-52
> URL: http://issues.apache.org/jira/browse/FTPSERVER-52
> Project: FtpServer
> Issue Type: Improvement
> Reporter: Clinton Foster
> Priority: Minor
>
>
> Particularly in cases where the FTP server is embedded in another application, it is important to be able to determine the IP address of the remote client when authentication fails. One possibility would be to provide access to the remote address from UserManager.authenticate(). (This might be useful for other reasons as well.) A more generic approach that would not require a custom UserManager implementation would be to add an onLoginFail() method to the Ftplet interface. I think both enhancements would be useful, although if only one or the other could be done I would favor adding Ftplet.onLoginFail().
>
Re: [jira] Created: (FTPSERVER-52) Add onLoginFail() to Ftplet
interface
Posted by Niklas Gustavsson <ni...@protocol7.com>.
Gary.Mui@sungard.com wrote:
> That's great! If it contains the client IP and certificate chain, then it certainly should meet my needs. The certificate DN matching also sounds very useful, but for now, I can just check the certfiicate information for the matching that I need.
>
> One thing that I've been struggling with though is to get the SSL Socket Factory to include the use of a CRL file in the trust manager. It works ok when the server socket initializes, but I have not been able to to refresh the CRL data dynamically. If you have any ideas about that or think it's a worthwhile addtion, I can add it is an enhancement request.
>
> Thanks for your efforts!
Please file an RFE for the dynamic CRL refresh. And if you can provide a
patch that's even better. I don't know how the CRL handling is done in
Java so I wouldn't really know where to start :-)
/niklas
RE: Re: [jira] Created: (FTPSERVER-52) Add onLoginFail() to Ftplet interface
Posted by Ga...@sungard.com.
That's great! If it contains the client IP and certificate chain, then it certainly should meet my needs. The certificate DN matching also sounds very useful, but for now, I can just check the certfiicate information for the matching that I need.
One thing that I've been struggling with though is to get the SSL Socket Factory to include the use of a CRL file in the trust manager. It works ok when the server socket initializes, but I have not been able to to refresh the CRL data dynamically. If you have any ideas about that or think it's a worthwhile addtion, I can add it is an enhancement request.
Thanks for your efforts!
Gary
________________________________
From: news on behalf of Niklas Gustavsson
Sent: Thu 12/21/2006 11:49 AM
To: ftpserver-dev@incubator.apache.org
Subject: Re: [jira] Created: (FTPSERVER-52) Add onLoginFail() to Ftplet interface
Niklas Gustavsson wrote:
> I'm currently looking into this request. If I understand your
> requirements correctly you would like to have the peer certificate chain
> available when the user logs in using the regular USER/PASS commands?
> I've refactored the UserManager interface to allow for a more general
> Authenication, writing one that includes the cert chain would be simple.
This is now implemented. During authentication the user manager now gets
metadata about the user (current the remote IP address and the
certificate chain if existing). A user manager can then use these to
make a more informed decision on authentication.
Right now the default user managers ignore this data, if someone wants
some control in there by default I'll be happy to look into it. I might
also add a control for matching the certificate DN with a DN pattern
configured for the user. Would this be of interest?
Gary, I hope this is enough for your needs. If not, feel free to bug me
about it :-)
/niklas
Re: [jira] Created: (FTPSERVER-52) Add onLoginFail() to Ftplet
interface
Posted by Niklas Gustavsson <ni...@protocol7.com>.
Niklas Gustavsson wrote:
> I'm currently looking into this request. If I understand your
> requirements correctly you would like to have the peer certificate chain
> available when the user logs in using the regular USER/PASS commands?
> I've refactored the UserManager interface to allow for a more general
> Authenication, writing one that includes the cert chain would be simple.
This is now implemented. During authentication the user manager now gets
metadata about the user (current the remote IP address and the
certificate chain if existing). A user manager can then use these to
make a more informed decision on authentication.
Right now the default user managers ignore this data, if someone wants
some control in there by default I'll be happy to look into it. I might
also add a control for matching the certificate DN with a DN pattern
configured for the user. Would this be of interest?
Gary, I hope this is enough for your needs. If not, feel free to bug me
about it :-)
/niklas
Re: [jira] Created: (FTPSERVER-52) Add onLoginFail() to Ftplet
interface
Posted by Dave Roberts <da...@saaconsultants.com>.
It was 21/12/2006 11:21, when Niklas Gustavsson wrote:
> I have also played around with another option which is to automatically
> log in the user based on the certificate (without the need of the
> USER/PASS commands). However, there are some issues with this approach
> (like how the client would know that it has been login in) so I don't
> think I will commit it (unless someone convinces me otherwise).
No, I think you're correct to leave this out. I don't know of a
client that would allow this (not that I know all of them), and it
would seem to go against the RFCs.
Re: [jira] Created: (FTPSERVER-52) Add onLoginFail() to Ftplet
interface
Posted by Niklas Gustavsson <ni...@protocol7.com>.
Gary,
Gary.Mui@sungard.com wrote:
> I've gone ahead and added this as a separate Improvement item in JIRA.
> FTPSERVER-54 (Expand authentication capability of UserManager interface)
>
> The current authenticate method in the UserManager interface allows for
> UserManager implmentations to authenticate login requests with just
> username and password. Given the support for FTPS and client certificate
> checking, it would make sense to include additional information for
> authentication purposes. By including the RequestHandler, we could get
> access to the control socket (for information like the client IP
> address) as well as get the client's certificate chain in case the
> Socket is an instance of SSLSocket. Once the client certificate is
> available, a UserManager implementation can perform 2 factor
> authentication by matching the user login with parameters within the
> client certificate.
I'm currently looking into this request. If I understand your
requirements correctly you would like to have the peer certificate chain
available when the user logs in using the regular USER/PASS commands?
I've refactored the UserManager interface to allow for a more general
Authenication, writing one that includes the cert chain would be simple.
I have also played around with another option which is to automatically
log in the user based on the certificate (without the need of the
USER/PASS commands). However, there are some issues with this approach
(like how the client would know that it has been login in) so I don't
think I will commit it (unless someone convinces me otherwise).
/niklas
RE: [jira] Created: (FTPSERVER-52) Add onLoginFail() to Ftplet interface
Posted by Ga...@sungard.com.
I've gone ahead and added this as a separate Improvement item in JIRA.
FTPSERVER-54 (Expand authentication capability of UserManager interface)
The current authenticate method in the UserManager interface allows for
UserManager implmentations to authenticate login requests with just
username and password. Given the support for FTPS and client certificate
checking, it would make sense to include additional information for
authentication purposes. By including the RequestHandler, we could get
access to the control socket (for information like the client IP
address) as well as get the client's certificate chain in case the
Socket is an instance of SSLSocket. Once the client certificate is
available, a UserManager implementation can perform 2 factor
authentication by matching the user login with parameters within the
client certificate.
Hope it's ok - it's my first entry!
Thanks,
Gary
-----Original Message-----
From: Clinton Foster [mailto:cfoster@us.axway.com]
Sent: Wednesday, November 29, 2006 3:27 PM
To: ftpserver-dev@incubator.apache.org
Subject: Re: [jira] Created: (FTPSERVER-52) Add onLoginFail() to Ftplet
interface
This is exactly the sort of thing I was thinking of. In my case I simply
wanted to log a message from my custom user manager indicating the IP
address of the client for whom authentication failed. But this is better
handled by ftplet.onLoginFail(), as I think most people seem to be
favoring.
But the case you made for providing access to the RequestHandler from
FtpUserManager.authenticate() makes sense. And there could be other
possibilities such as a specialized user manager that needs to take the
client IP address into account when performing authentication.
It seems to me this merits a separate item in the issue tracking system.
Perhaps you could add one with your example below?
Clint
------------------------------------------------------------------------
--
On 11/29/06 9:10 AM, "Gary.Mui@sungard.com" <Ga...@sungard.com>
wrote:
> I don't know if this suggestion is misplaced, but one thing I would
> suggest is to have the authenticate call of the of the UserManager
> interface include the RequestHandler and that the RequestHandler
provide
> an interface to get Socket information. It can be used to pass IP
> information as part of the user authentication, but more importantly,
it
> can be used to get access to Certificate information if it is an SSL
> socket and client authentication is enabled. In my implementation,
I've
> needed to evaluate contents of the Subject in the certificate with the
> login used in order to provide 2 factor authentication. An additional
> interface to UserManager might be an authenticate method that just
takes
> an array of Certificates to provide for certificate based
> authentication.
>
> -----Original Message-----
> From: Dave Roberts [mailto:dave.roberts@saaconsultants.com]
> Sent: Wednesday, November 29, 2006 4:16 AM
> To: ftpserver-dev@incubator.apache.org
> Subject: Re: [jira] Created: (FTPSERVER-52) Add onLoginFail() to
Ftplet
> interface
>
> It was 28/11/2006 21:56, when Niklas Gustavsson wrote:
>
>> What do you all think of this RFE? I would be happy to add the
>> onLoginFail() method to the FtpLet interface if you don't disagree.
>
> Agreed, onLoginFail() seems the best place to me, but I wonder if it
> needs to be complemented with an onLoginOk(), both of which could be
> called after the user is set within the FtpRequestImpl object, so
> that the user information is available to the FtpLet.
>
> It also gives the application developer the opportunity to perform
> some additional authentication on the user, if required.
>
Re: [jira] Created: (FTPSERVER-52) Add onLoginFail() to Ftplet
interface
Posted by Clinton Foster <cf...@us.axway.com>.
This is exactly the sort of thing I was thinking of. In my case I simply
wanted to log a message from my custom user manager indicating the IP
address of the client for whom authentication failed. But this is better
handled by ftplet.onLoginFail(), as I think most people seem to be favoring.
But the case you made for providing access to the RequestHandler from
FtpUserManager.authenticate() makes sense. And there could be other
possibilities such as a specialized user manager that needs to take the
client IP address into account when performing authentication.
It seems to me this merits a separate item in the issue tracking system.
Perhaps you could add one with your example below?
Clint
--------------------------------------------------------------------------
On 11/29/06 9:10 AM, "Gary.Mui@sungard.com" <Ga...@sungard.com> wrote:
> I don't know if this suggestion is misplaced, but one thing I would
> suggest is to have the authenticate call of the of the UserManager
> interface include the RequestHandler and that the RequestHandler provide
> an interface to get Socket information. It can be used to pass IP
> information as part of the user authentication, but more importantly, it
> can be used to get access to Certificate information if it is an SSL
> socket and client authentication is enabled. In my implementation, I've
> needed to evaluate contents of the Subject in the certificate with the
> login used in order to provide 2 factor authentication. An additional
> interface to UserManager might be an authenticate method that just takes
> an array of Certificates to provide for certificate based
> authentication.
>
> -----Original Message-----
> From: Dave Roberts [mailto:dave.roberts@saaconsultants.com]
> Sent: Wednesday, November 29, 2006 4:16 AM
> To: ftpserver-dev@incubator.apache.org
> Subject: Re: [jira] Created: (FTPSERVER-52) Add onLoginFail() to Ftplet
> interface
>
> It was 28/11/2006 21:56, when Niklas Gustavsson wrote:
>
>> What do you all think of this RFE? I would be happy to add the
>> onLoginFail() method to the FtpLet interface if you don't disagree.
>
> Agreed, onLoginFail() seems the best place to me, but I wonder if it
> needs to be complemented with an onLoginOk(), both of which could be
> called after the user is set within the FtpRequestImpl object, so
> that the user information is available to the FtpLet.
>
> It also gives the application developer the opportunity to perform
> some additional authentication on the user, if required.
>
RE: [jira] Created: (FTPSERVER-52) Add onLoginFail() to Ftplet interface
Posted by Ga...@sungard.com.
I don't know if this suggestion is misplaced, but one thing I would
suggest is to have the authenticate call of the of the UserManager
interface include the RequestHandler and that the RequestHandler provide
an interface to get Socket information. It can be used to pass IP
information as part of the user authentication, but more importantly, it
can be used to get access to Certificate information if it is an SSL
socket and client authentication is enabled. In my implementation, I've
needed to evaluate contents of the Subject in the certificate with the
login used in order to provide 2 factor authentication. An additional
interface to UserManager might be an authenticate method that just takes
an array of Certificates to provide for certificate based
authentication.
-----Original Message-----
From: Dave Roberts [mailto:dave.roberts@saaconsultants.com]
Sent: Wednesday, November 29, 2006 4:16 AM
To: ftpserver-dev@incubator.apache.org
Subject: Re: [jira] Created: (FTPSERVER-52) Add onLoginFail() to Ftplet
interface
It was 28/11/2006 21:56, when Niklas Gustavsson wrote:
> What do you all think of this RFE? I would be happy to add the
> onLoginFail() method to the FtpLet interface if you don't disagree.
Agreed, onLoginFail() seems the best place to me, but I wonder if it
needs to be complemented with an onLoginOk(), both of which could be
called after the user is set within the FtpRequestImpl object, so
that the user information is available to the FtpLet.
It also gives the application developer the opportunity to perform
some additional authentication on the user, if required.
Re: [jira] Created: (FTPSERVER-52) Add onLoginFail() to Ftplet
interface
Posted by Dave Roberts <da...@saaconsultants.com>.
It was 28/11/2006 21:56, when Niklas Gustavsson wrote:
> What do you all think of this RFE? I would be happy to add the
> onLoginFail() method to the FtpLet interface if you don't disagree.
Agreed, onLoginFail() seems the best place to me, but I wonder if it
needs to be complemented with an onLoginOk(), both of which could be
called after the user is set within the FtpRequestImpl object, so
that the user information is available to the FtpLet.
It also gives the application developer the opportunity to perform
some additional authentication on the user, if required.