On Jun 22, 2010, at 9:04 AM, Oleksiy Stashok wrote:
> Hi Tim,
>
> can you pls. file a bug in grizzly.
> I'll check what webcontainer is doing and will try to port the same
> logic into Grizzly.
Done.
https://grizzly.dev.java.net/issues/show_bug.cgi?id=843
Thanks.
- Tim
>
> Thanks.
>
> WBR,
> Alexey.
>
> On Jun 22, 2010, at 13:25 , Tim Quinn wrote:
>
>> [Alexey and I have been discussing this off-line; it makes sense to
>> talk about it more broadly - hence I'm moving it to the list.
>>
>> My original question was whether GrizzlyRequest.getUserPrincipal
>> returns the security Principal that was authenticated if the
>> connection uses client certificate authentication, or if not how
>> the adapter could find that out.
>>
>> Alexey pointed me to some of the code in the web container that
>> does this. ]
>>
>>
>> I know that client authentication is relatively rarely used, but
>> this seems like something that any adapter that does use client
>> authentication might need.
>>
>> Any chance of Grizzly doing this for us rather than each individual
>> adapter having to do so for itself?
>>
>> Thanks.
>>
>> - Tim
>>
>> On Jun 22, 2010, at 4:41 AM, Oleksiy Stashok wrote:
>>
>>> Hi Tim,
>>>
>>> I found some code in web container, which you can use [1].
>>>
>>> IMO instead of cc'ing more people we can move discussions to
>>> grizzly mailing list, if it's fine for you?
>>>
>>> Thanks.
>>>
>>> WBR,
>>> Alexey.
>>>
>>> [1]
>>>
>>> --------- Constants:
>>>
>>> /**
>>> * SSL Certificate Request Attributite.
>>> */
>>> public static final String SSL_CERTIFICATE_ATTR =
>>> "org.apache.coyote.request.X509Certificate";
>>>
>>> /**
>>> * The request attribute under which we store the array of
>>> X509Certificate
>>> * objects representing the certificate chain presented by our
>>> client,
>>> * if any.
>>> */
>>> public static final String CERTIFICATES_ATTR =
>>> "javax.servlet.request.X509Certificate";
>>>
>>>
>>> -------------- Getting X509Certificates
>>>
>>>
>>> X509Certificate certs[] = (X509Certificate[])
>>> request.getAttribute(Globals.CERTIFICATES_ATTR);
>>> if ((certs == null) || (certs.length < 1)) {
>>> certs = (X509Certificate[])
>>> request.getAttribute(Globals.SSL_CERTIFICATE_ATTR);
>>> }
>>> if ((certs == null) || (certs.length < 1)) {
>>> if (debug >= 1)
>>> log(" No certificates included with this request");
>>> return (false);
>>> }
>>>
>>> // Authenticate the specified certificate chain
>>> principal = authenticate(certs);
>>>
>>> ----------- authenticate
>>>
>>> /**
>>> * Return the Principal associated with the specified chain of
>>> X509
>>> * client certificates. If there is none, return <code>null</
>>> code>.
>>> *
>>> * @param certs Array of client certificates, with the first one
>>> in
>>> * the array being the certificate of the client itself.
>>> */
>>> public Principal authenticate(X509Certificate certs[]) {
>>>
>>> if ((certs == null) || (certs.length < 1))
>>> return (null);
>>>
>>> // Check the validity of each certificate in the chain
>>> if (log.isLoggable(Level.FINE))
>>> log.fine("Authenticating client certificate chain");
>>> if (validate) {
>>> for (int i = 0; i < certs.length; i++) {
>>> if (log.isLoggable(Level.FINE))
>>> log.fine("Checking validity for '" +
>>> certs[i].getSubjectDN().getName() + "'");
>>> try {
>>> certs[i].checkValidity();
>>> } catch (Exception e) {
>>> if (log.isLoggable(Level.FINE))
>>> log.log(Level.FINE, "Validity exception", e);
>>> return (null);
>>> }
>>> }
>>> }
>>>
>>> // Check the existence of the client Principal in our database
>>> return (getPrincipal(certs[0].getSubjectDN().getName()));
>>> }
>>>
>>>
>>> On Jun 21, 2010, at 16:04 , Tim Quinn wrote:
>>>
>>>> Hi, Alexey.
>>>>
>>>>
>>>> On Jun 21, 2010, at 7:39 AM, Oleksiy Stashok wrote:
>>>>
>>>>> Hi Tim,
>>>>>
>>>>> I worry that Grizzly just has get/set methods for Principal, but
>>>>> AFAIK the actual implementation, which uses Grizzly should take
>>>>> care of setting it appropriate way.
>>>>> I don't see any code in Grizzly, which sets that.
>>>>> What is the usecase you have?
>>>>
>>>> First, I apologize -- it's getUserPrincipal not getPrincipal.
>>>>
>>>> The use case:
>>>>
>>>> In GF 3.1 we are planning to use SSL mutual certificate
>>>> authentication to secure the admin messages between the DAS and
>>>> instances in the domain (if the user chooses to use admin
>>>> security).
>>>>
>>>> The SSL layer will make sure that the other end of the connection
>>>> has identified itself in a way that we trust (that is, it
>>>> presents a certificate we trust). But the Grizzly adapter which
>>>> processes the incoming admin requests still needs to make sure
>>>> that whatever that identity is has been authorized in the DAS as
>>>> an administrator. Since that identity is established at the SSL
>>>> level I thought (was hoping) that req.getUserPrincipal would
>>>> return a Principal for the certificate that had been presented by
>>>> the other end of the connection.
>>>>
>>>> I now see the setUserPrincipal method also which I did not notice
>>>> before.
>>>>
>>>> My real need is that a Grizzly adapter's service method needs to
>>>> be able to find out if SSL client cert. authentication was used
>>>> (which includes mutual auth) in establishing the incoming
>>>> connection and, if so, what identify was given by the cert that
>>>> was trusted.
>>>>
>>>> I thought maybe the req.getSession() might have a way to lead me
>>>> to the SSLSession which has getPeerPrincipal which I think would
>>>> give the admin adapter what it needs, but I couldn't find a way
>>>> from the Grizzly request object to the SSLSession.
>>>>
>>>> By the way, should I include anyone else on these sorts of
>>>> questions? Justin?
>>>>
>>>> Many thanks.
>>>>
>>>> - Tim
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>> Thanks.
>>>>>
>>>>> WBR,
>>>>> Alexey.
>>>>>
>>>>>
>>>>> On Jun 19, 2010, at 0:47 , Tim Quinn wrote:
>>>>>
>>>>>> Hi, Alexey. I hope this is a quick question.
>>>>>>
>>>>>> Is the Principal returned by GrizzlyRequest.getPrincipal valid
>>>>>> only if I've configured the port for SSL and for client
>>>>>> authentication?
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>> - Tim
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
>> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_grizzly.dev.java.net
> For additional commands, e-mail: users-help_at_grizzly.dev.java.net
>
Tim Quinn | Principal Member of Technical Staff | +1.847.604.9475
Oracle GlassFish Engineering
Lake Forest, IL