Comments on: The Mysterious CLIENT-CERT

By: Mike Fleming

Mike Fleming — Tue, 17 Jul 2007 01:25:36 +0000

JW,

Something I forgot in my last comment. If you don’t compare certs, ensure that your trusted CAs are limited to just the one(s) that you accept. The default Java trust store contains a ton of CAs…

By: Mike Fleming

Mike Fleming — Tue, 17 Jul 2007 00:51:43 +0000

JW,

My bad. I missed the “LDAP” distinction in your original question. What I described above is for the default identity asserter set to handle X.509 certs. There is no comparison of the provided cert to one in LDAP like the LDAP X.509 identity asserter does.

Whether you want to compare certs is up to you. The default identity asserter wouldn’t cause two hits to LDAP, though.

By: JW

JW — Mon, 16 Jul 2007 18:57:45 +0000

So it sounds like each one would have to hit the LDAP server separately. And since you configure the connection info separately for each one, they probably aren’t sharing an LDAP Connection pool either.

(In case you’re wondering, I asked originally because I’m trying to speed up certificate-based login.)

By: Mike Fleming

Mike Fleming — Fri, 13 Jul 2007 02:00:51 +0000

JW,

Identity asserters and authenticators work together to identify the user. Identity asserters check for the presence of tokens in the request such as an X.509 cert. When it finds one, it tries to map that token to a user known to the realm. In the case of a cert, the asserter might use the whole DN or just the CN as the user name. It does this via a username mapper class associated with the asserter.

Once the token has been mapped to a username, that username is passed to the authenticator(s) to see if the user exists. If an authenticator can find that username, the user has authenticated successfully (depending upon the control flags in the case of multiple authenticators). The authenticator can then do its other job of pulling the user’s groups.

As for the order, asserters always have to come first so that they can extract a username to pass along to the authenticators. An authenticator wouldn’t know what to do with the token.

However, as you know, the order of authentication providers is significant.

HTH,

Mike

By: JW

JW — Thu, 12 Jul 2007 06:37:07 +0000

Say you have an LDAP X509 Identity Asserter and an LDAP Authenticator. How do the two interact to produce an authenticated user + groups? Confusingly, the order they are listed in the realm’s Authentication node doesn’t seem to matter. How does WebLogic know to hit the X509 Identity Asserter first?

By: Mike Fleming

Mike Fleming — Mon, 23 Oct 2006 01:09:29 +0000

Kevin,

No, there doesn’t have to be a WL user stored somewhere. This article is talking about the common case where there is a user account stored somewhere and the cert has to be mapped to it.

To not have a “backing user” so to speak, you’ll probably need a custom authenticator with a custom login module. This login module will do nothing more than add a WLSUser object to the Subject. This value can be anything you want but I’d imagine you’d take some piece of the DN and stick it there. This value represents the user from WLS’ perspective, so if you do an HttpServletRequest.getRemoteUser() you’ll get that value back (as a simple String, of course).

Check the sample security providers for an example of a custom authenticator.

Hope this helps,

Mike

By: Kevin Moran

Kevin Moran — Sat, 21 Oct 2006 03:05:29 +0000

Excellent article! Question, though, regarding identity assertion: Do X.509 certificates necessarily have to map to WL users? Example: My custom role mapper assigns roles to users based on their DN. My intention is to control users’ access to web services based on those roles. I’d like to issue lots of client certs without having to create a corresponding WL user (especially since I don’t know what it buys me!). Also, it seems like the job of managing WL users would grow with the number of client certs.

Anyway, thanks for demystifying WL’s security framework. I can’t tell you how much your blog has already helped my understanding.

-kevin