Hi Henry,
It "should" be feasible to write a Server Authentication Module, that
forces the SSL authentication by requesting the proper SSL attribute,
and that does the foaf verification, before dispatching the request, to
the servlet container.
see
http://blogs.sun.com/monzillo/entry/pluggable_authentication_in_the_glassfish
read the comments, as they describe the relationship to the transport
and name the attribute I refer to above. BTW, there is some support for
the same mechanism in Jetty.
AFAIK, the main issue with the approach I outline above, is that I don't
think it will work if the login mech for the app (as could be defined in
web.xml) is not CLIENT-CERT.
Ron
Henry Story wrote:
> Hi folks,
>
> I would like to make i
t simple for GlassFish developers to develop apps
> using the foaf+ssl [1] security protocol we are developing in the
> community for distributed open yet secure social networks.
>
> The security piece of foaf+ssl is quite simple as it essentially relies
> on client side https certificates - with a twist: the server does not
> necessarily reject (correctly) self signed certificates. If those
> certificates contain a subjectAltName URI then this can be used to
> identify the user by following the method described here:
>
> http://blogs.sun.com/bblfish/entry/foaf_ssl_adding_security_to
>
> I put together a demon for the Jetty web server using the jsslutils
> library.
>
> The following class just sets up the Jetty server:
>
> https://sommer.dev.java.net/svn/sommer/trunk/misc/FoafServer/jetty/src/net/java/dev/sommer/foafserver/jetty/SimpleServer.java
>
>
> one can then for example catch the X509 certificate in a servlet and
> verify that this is indeed tied to the URL it claims to be
>
> https://sommer.dev.java.net/svn/sommer/trunk/misc/FoafServer/jetty/src/net/java/dev/sommer/foafserver/jetty/CheckClient.java
>
>
> (the dev.java.net server above requires username: guest password guest
> or blank)
>
> From the client's perspective things are very simple. Once the client
> has created a certificate using a service such as
> http://test.foafssl.org/cert/ (which runs on GlassFish 2 btw), they can
> then login just by clicking a button, as you can see by following the
> instructions there.
>
> So in order to allow people to implement any of the many great services
> that distributed identity makes possible [2], I would like to make it
> as easy as possible to integrate this into GlassFish apps. It would be
> nice then to work with others here to build some sample apps to test
> out some of the ideas.
>
> So I am looking for some guidance from security knowledgeable people
> here. What do you suggest should be done that could have the biggest
> impact and that requires the least amount of work - as I am currently
> the only one working on bringing this to GF.
>
> I would be really glad to talk to anyone interested in implementing
> some simple apps.
>
>
>
> Henry Story
> Social Cloud Architect (really! ;-)
> http://blogs.sun.com/bblfish
>
> [1] Links to all the resource for this protocol are available
> http://esw.w3.org/topic/foaf+ssl
> [3] see http://esw.w3.org/topic/foaf+ssl/UseCases
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>