DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=7831>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=7831 ------- Additional Comments From [EMAIL PROTECTED] 2006-01-28 00:40 ------- I have committed a couple of changes that should make this a lot easier. Given the wide variety of options for mapping from certificates to users in the directory, I have left the default as certificate DN == user DN. To change this you will need to extend JNDIRealm and override getPrincipal(X509Certificate). In my testing I used the following: protected Principal getPrincipal(X509Certificate usercert) { StringTokenizer dnTokens = new StringTokenizer(usercert.getSubjectDN().getName(),","); while (dnTokens.hasMoreTokens()) { String token = dnTokens.nextToken(); if (token.substring(0, 3).equalsIgnoreCase("cn=")) { return getPrincipal(token.substring(3)); } } return null; } Since the user certificate is public, it isn't much use (on its own) as a credential for authentication. It is the combination of the user's possession of the private key associated with the certifcate, the subject of the certificate and the chain of certificates back to a CA you trust that matters. Therefore, I have not incorporated a direct comparission of the certificate presented by the user with what may be held in the directory. Let me know how you get on. Barring any major problems in your testing, I'll port the changes back to 4.1.x and close this bug. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
