You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@maven.apache.org by Tamás Cservenák <t....@gmail.com> on 2006/05/31 17:50:55 UTC

Re: Proximity with https/client-certs

Hi Jens,

yes, this is something i installed and is used in one company where PX is
used on JDS.

I tested this on Java 1.4.2 and Java 1.5 and tomcat 5.5.17!

The trick is the following -- in short:

1. Set Apache Tomcat to use HTTPS WITH client auth (clientAuth=true!).
http://tomcat.apache.org/tomcat-5.5-doc/config/http.html#SSL Support
2. You have to modify (there is not included controller in current
alpha2,but will be in final)the repository controller class to put
grantee (in this case the X509 cert
of requester) into ProximityRequest object grantee. Tomcat (in case of HTTPS
transport) publishes the user cert on key "
javax.servlet.request.X509Certificate" as request attribute!
3. you have to supply voter (there is not included in current alpha2....)
that will know that grantee is X509 cert and vote properly by his
authorization.

The "implicit" tricks.

0. The PX "front-end" and "access manager back end" are paired. since front
end knows what may have to use as grantee (you are not obliged to use PX in
webapp at all!), and voter should recognize the info put into grantee of px
request (px request grantee is java.lang.Object!).

1. You have to make a root CA (even self signed cert) and server cert used
by Tomcat.

2. create user certs signed with "root CA" or even "server cert" and give
them to users
3. Tomcat will filter the HTTPS with authorized clients (you have to use
keystore that have your root CA imported). Thus, only those requests will
arrive to Proximity that have cert signed with your root CA (your trusted
users) others will be rejected even before Px by tomcat itself.
4. clients should use Maven like this:

mvn \
  -Djavax.net.debug=ssl \     <----- FOR DEBUG ONLY!!!
  -Djavax.net.ssl.trustStore=/home/cstamas/worx/.../certs/java/trust.jks \
  -Djavax.net.ssl.keyStore=/home/cstamas/worx/.../certs/my-keystore.p12 \
  -Djavax.net.ssl.keyStoreType=pkcs12 \
  -Djavax.net.ssl.keyStorePassword=changeit \
  -s ./settings.xml clean .... [other goals]

5.your voter should decide how to vote: voter knows the user cert, the Px
request (path, etc)... since the request arrived to PX, it is "trusted user"
but your voter my decide on per-artifact whether allow access or not.

6. For JDK1.4 (and 1.5?) you should setup the "unlimited crypto strenght"
component from sun

I will include these controllers and voters and docs in some later releases
(RC1?).

Have fun,
~t~

On 5/31/06, Jens Riboe <jr...@wilytech.com> wrote:
>
>  Hi Tamás,
>
>
>
> Proximity seems to be really cool.
>
>
>
> I have one question based on what your are stating on the index page.
>
> Access control - Proximity is well suited for corporate deployments, since
> it has extensible and configurable AccessManager. Proximity has various
> AccessManager and AccessDecisionVoter implementations out-of-the-box. Some
> examples: IP based access restriction, *HTTPS access only with client
> certificate verification* and access management based on it.
>
>
>
> Is this "in-principle" or do you have a working solution?
>
>
>
> A couple of months ago I investigated the support for depend downloads
> from an mvn repo behind https/client-cert access. Based on the information I
> found; it was not supported nor planned. Is this something you have been
> working with and/or do you know how to extend a wagon plug-in (I guess it
> must be wagon) for this kind of restricted access?
>
>
>
> Many thanks in advance for any pointers.
>
>        /Jens
>
>
>
> -----Original Message-----
> From: Tamás Cservenák [mailto:t.cservenak@gmail.com]
> Sent: 31 May 2006 14:55
> To: Maven Users List
> Subject: Proximity 1.0.0-alpha2
>
>
>
> Hi all,
>
>
>
> i'd like to announce the alpha2 release of Px.
>
>
>
> New features or fixes:
>
>
>
>
>
>    - Fixed issued bugs (all fixed - testing needed!)
>
>
>
>
>
>    - Create and publish initial IP based AccessManager? and voter with
> sample.
>
>    You will find an example of IP based AccessVoter and AccessManager in
>
>    applicationContext.xml. Try it!
>
>
>
>
>
> Download:
>
> https://is-micro.myip.hu/projects/ismicro-commons/deploy/proximity/
>
>
>
> Issues:
>
> http://intranet.is-micro.hu/trac/ismicro-commons/roadmap
>
>
>
> Site (incomplete yet):
>
> https://is-micro.myip.hu/projects/ismicro-commons/proximity/
>
>
>
> Have fun,
>
>
>
>
>
> ~t~
>