You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Ivan (JIRA)" <ji...@apache.org> on 2009/07/31 05:02:14 UTC
[jira] Created: (GERONIMO-4779) Add cert authentication support for
Jetty7 module
Add cert authentication support for Jetty7 module
-------------------------------------------------
Key: GERONIMO-4779
URL: https://issues.apache.org/jira/browse/GERONIMO-4779
Project: Geronimo
Issue Type: Bug
Security Level: public (Regular issues)
Components: security
Affects Versions: 2.2
Reporter: Ivan
Fix For: 2.2
Current, jetty module does not support client-cert authentication
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4779) Add cert authentication support
for Jetty7 module
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12737407#action_12737407 ]
David Jencks commented on GERONIMO-4779:
----------------------------------------
Can you be more specific? There's a jetty client cert authenticator that should get installed when you ask for client cert auth. It might not work correctly, but thie infrastructure is all there.
> Add cert authentication support for Jetty7 module
> -------------------------------------------------
>
> Key: GERONIMO-4779
> URL: https://issues.apache.org/jira/browse/GERONIMO-4779
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 2.2
> Reporter: Ivan
> Fix For: 2.2
>
> Attachments: Geronimo-4776.patch
>
>
> Current, jetty module does not support client-cert authentication
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4779) Add cert authentication support
for Jetty7 module
Posted by "Jarek Gawor (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12737419#action_12737419 ]
Jarek Gawor commented on GERONIMO-4779:
---------------------------------------
I'm ok with reverting the changes I made to Tomcat as long as we can make Tomcat and Jetty working in a consistent way. I would also like to see the actual client certificates to be added to the Subject (in addition to the principals).
> Add cert authentication support for Jetty7 module
> -------------------------------------------------
>
> Key: GERONIMO-4779
> URL: https://issues.apache.org/jira/browse/GERONIMO-4779
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 2.2
> Reporter: Ivan
> Fix For: 2.2
>
> Attachments: Geronimo-4776.patch
>
>
> Current, jetty module does not support client-cert authentication
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (GERONIMO-4779) Add cert authentication support for
Jetty7 module
Posted by "Ivan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4779?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ivan updated GERONIMO-4779:
---------------------------
Attachment: (was: Geronimo-4776.patch)
> Add cert authentication support for Jetty7 module
> -------------------------------------------------
>
> Key: GERONIMO-4779
> URL: https://issues.apache.org/jira/browse/GERONIMO-4779
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 2.2
> Reporter: Ivan
> Fix For: 2.2
>
>
> Current, jetty module does not support client-cert authentication
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (GERONIMO-4779) Add cert authentication support for
Jetty7 module
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4779?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Jencks updated GERONIMO-4779:
-----------------------------------
Fix Version/s: (was: 2.2)
Wish List
no more work on this for 2.2.
> Add cert authentication support for Jetty7 module
> -------------------------------------------------
>
> Key: GERONIMO-4779
> URL: https://issues.apache.org/jira/browse/GERONIMO-4779
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 2.2
> Reporter: Ivan
> Assignee: David Jencks
> Fix For: Wish List
>
>
> Current, jetty module does not support client-cert authentication
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4779) Add cert authentication support
for Jetty7 module
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12737968#action_12737968 ]
David Jencks commented on GERONIMO-4779:
----------------------------------------
I added the framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/PropertiesFileNoPasswordLoginModule.java login module in rev 799958 that should be able to accept the login call from the jetty client cert authenticator and add the appropriate principals.
I haven't decided what if anything ought to be adding the credential to the subject. I'm inclined to think the authenticator should but that might only be because I don't want to add more login methods to the login service. Leaving open until we decide on how to do this.
> Add cert authentication support for Jetty7 module
> -------------------------------------------------
>
> Key: GERONIMO-4779
> URL: https://issues.apache.org/jira/browse/GERONIMO-4779
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 2.2
> Reporter: Ivan
> Fix For: 2.2
>
>
> Current, jetty module does not support client-cert authentication
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4779) Add cert authentication support
for Jetty7 module
Posted by "Jarek Gawor (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12737412#action_12737412 ]
Jarek Gawor commented on GERONIMO-4779:
---------------------------------------
I ran into the same issue on Tomcat. Here was my change to fix in Tomcat: http://svn.apache.org/viewvc?rev=798343&view=rev
> Add cert authentication support for Jetty7 module
> -------------------------------------------------
>
> Key: GERONIMO-4779
> URL: https://issues.apache.org/jira/browse/GERONIMO-4779
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 2.2
> Reporter: Ivan
> Fix For: 2.2
>
> Attachments: Geronimo-4776.patch
>
>
> Current, jetty module does not support client-cert authentication
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-4779) Add cert authentication support
for Jetty7 module
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12737413#action_12737413 ]
David Jencks commented on GERONIMO-4779:
----------------------------------------
Previously we were using a login module that accepted CertificateCallbacks. However, once SSL has accepted the client certificate, there is nothing further we can reasonably do to authenticate them. All we can do is install some principals into the subject. The jetty (and IIUC until Jarek changed it) tomcat client cert authenticators however are not supplying certifactes but the x509 names from them.
I think the best approack is a new login module that just adds principals to the subject for recognized users. This is also needed for stuff like openid where the authentication happens entirely externally and the only info we get is the useris identity and we have to assign prinipcals that map to roles.
> Add cert authentication support for Jetty7 module
> -------------------------------------------------
>
> Key: GERONIMO-4779
> URL: https://issues.apache.org/jira/browse/GERONIMO-4779
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 2.2
> Reporter: Ivan
> Fix For: 2.2
>
> Attachments: Geronimo-4776.patch
>
>
> Current, jetty module does not support client-cert authentication
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (GERONIMO-4779) Add cert authentication support for
Jetty7 module
Posted by "Ivan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4779?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ivan updated GERONIMO-4779:
---------------------------
Attachment: Geronimo-4776.patch
I tried to create a patch, but it may not resolve all the issues, I think that some changes need to be done in AuthConfigProviderHandlerFactory.
Please help to review it, thanks !
> Add cert authentication support for Jetty7 module
> -------------------------------------------------
>
> Key: GERONIMO-4779
> URL: https://issues.apache.org/jira/browse/GERONIMO-4779
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 2.2
> Reporter: Ivan
> Fix For: 2.2
>
> Attachments: Geronimo-4776.patch
>
>
> Current, jetty module does not support client-cert authentication
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (GERONIMO-4779) Add cert authentication support
for Jetty7 module
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-4779?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Jencks reassigned GERONIMO-4779:
--------------------------------------
Assignee: David Jencks
> Add cert authentication support for Jetty7 module
> -------------------------------------------------
>
> Key: GERONIMO-4779
> URL: https://issues.apache.org/jira/browse/GERONIMO-4779
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 2.2
> Reporter: Ivan
> Assignee: David Jencks
> Fix For: 2.2
>
>
> Current, jetty module does not support client-cert authentication
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.