Thanks Oleksiy and Paul, it works like a charm. See the code below how I
extract data from the cert.
On a theoretical level - what do you think about using client side
certificates, signed by the server acting as a CA as
way of authentication?
The user must posess the private key, and if he does, I can be sure who
he is. And I can check the certificate 'cause
I'm the CA on the server side :-)
--
So just to sum it up for the archives:
public class SecurityFilter implements ContainerRequestFilter {
public ContainerRequest filter(ContainerRequest request) {
SSLSession session = ((com.sun.grizzly.util.WorkerThread)
Thread.currentThread()).getSSLEngine().getSession();
X509Certificate[] cert = (X509Certificate[])
session.getLocalCertificates();
X500Principal principal = cert[0].getIssuerX500Principal();
// extract data from principal, etc.
return request;
}
}
and we need to attach this filter to jersey, before adding it's adapter
to GWS:
[..]
jerseyAdapter.addInitParameter(ResourceConfig.PROPERTY_CONTAINER_REQUEST_FILTERS,
SecurityFilter.class.getName());
webServer.addGrizzlyAdapter(jerseyAdapter, new String[]{"/"});
Thanks everyone,
Zoltan
Paul Sandoz wrote:
>
> On Oct 7, 2009, at 10:50 AM, Oleksiy Stashok wrote:
>
>> Hi Zoltan,
>>
>> please try following:
>>
>> ((com.sun.grizzly.util.WorkerThread)
>> Thread.currentThread()).getSSLEngine();
>>
> and see the following sample for using Jersey with SSL+Grizzly:
>
>
> http://download.java.net/maven/2/com/sun/jersey/samples/https-clientserver-grizzly/1.1.3-ea/https-clientserver-grizzly-1.1.3-ea-project.zip
>
>
> If you look in there it is doing some funky stuff in a filter setting
> the SecurityContext. You can provide your own implementation to
> extract stuff from the WorkerThread.
>
> Paul.
>
>> Hope this will help.
>>
>> WBR,
>> Alexey.
>>
>> On Oct 6, 2009, at 23:39 , Zoltan Arnold NAGY wrote:
>>
>>> Hello everyone,
>>>
>>> I'm trying to implement authentication using client-side ssl
>>> certificates with Grizzly, running
>>> latest Jersey to serve RESTful content.
>>>
>>> The SSL stuff works fine, but for authorization to be able to occur,
>>> I'd need to get the
>>> SubjectDN from the SSLEngine's Session.
>>>
>>> Is there a way to get that inside a Jersey request?
>>>
>>> Maybe I could insert my own class before each (jersey's) adapter
>>> call, and pass
>>> it on, somehow?
>>>
>>> Any pointers are welcome.
>>>
>>> Thanks,
>>> Zoltan
>>>
>>>
>>> __________ Information from ESET Smart Security, version of virus
>>> signature database 4485 (20091006) __________
>>>
>>> The message was checked by ESET Smart Security.
>>>
>>> http://www.eset.com
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
>>> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
>> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>
>
>
> __________ Information from ESET Smart Security, version of virus
> signature database 4486 (20091007) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
__________ Information from ESET Smart Security, version of virus signature database 4486 (20091007) __________
The message was checked by ESET Smart Security.
http://www.eset.com