REPOST: CLIENT-CERT and JNDIRealm

[Mario Ivankovits <ma...@ops.co.at>]

Hello !

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831
I think, a common solution should be found for this, so i try again to push a discussion:


Questions:
*) Are there some standards how to map an certificate to an user within an ldap-server
*) If not, could/should we implement some of my code directly in an class
(say) JNDIRealmCert, and one could simply override an abstract "certToUser"
method.

I have tried to use CLIENT-CERT to authenticate the user for our
application. JNDIRealm do not support such authentication, so i have tried
to implement it. For our infrastructure my solution works well, but i think
(know) it is strongly bound to it.

The way it works is to get a certificate for an user, and import this
certificate to the ActiveDirectory Server. During authentication a user with
the matching certificate is searched, and the "cn" for this user is used
furthermore (getRoles() ...)

First, I have created a new class JNDIRealmCertAD (JNDIRealm Certificate
ActiveDirectory) and introduced a new property "certSearch". (I also have
copied the *Pattern getter/setter for use with certificate, but havent
tested it yet)
Much of the code from JNDIRealm has to be copied, due to the private User
class, however, this class is a prototype.

The advantage (i think) of my solution is, that it does not use the
Cert.getSubjectDN() for the username, instead it is using the "cn" (or any other attribute) for the
ldap entry returned when searching the corresponding user for the
certificate.
With my class it is possible to use BASIC and CLIENT-CERT and always do have
the same username for the application.
I think the application should not be bothered with the type of
authentication.

However, currently this solution is bound to our Win2000-Domain.


Comments are welcome !!

Ciao,
Mario