From f510989cbbf7e8069ef976d16b22f924d3407eda Mon Sep 17 00:00:00 2001 From: Ben Alex Date: Sun, 20 Mar 2005 23:09:56 +0000 Subject: [PATCH] Minor consistency changes. --- doc/docbook/acegi.xml | 252 +++++++++++++++++++++++++----------------- 1 file changed, 152 insertions(+), 100 deletions(-) diff --git a/doc/docbook/acegi.xml b/doc/docbook/acegi.xml index b1550f069f..e9e15b2711 100644 --- a/doc/docbook/acegi.xml +++ b/doc/docbook/acegi.xml @@ -26,7 +26,7 @@ Reference Documentation - 0.8.0 + 0.8.1 @@ -2679,7 +2679,7 @@ key: A private key to prevent modification of the nonce token login to take place. Acegi Security provides the necessary hooks so that such operations can take place, along with providing a concrete implementation that uses hashing to preserve the security of - cookie-based tokens. + cookie-based tokens. Remember-me authentication is not used with digest or basic authentication, given they are often not used with @@ -3812,106 +3812,158 @@ $CATALINA_HOME/bin/startup.sh - X.509 Authentication - - Overview - The most common use of X.509 certificate authentication is - in verifying the identity of a server when using SSL, most commonly when using - HTTPS from a browser. The browser will automatically check that the - certificate presented by a server has been issued (i.e. digitally - signed) by one of a list of trusted certificate authorities which - it maintains. - - You can also use SSL with mutual authentication; - the server will then request a valid certificate from the client - as part of the SSL handshake. The server will authenticate the client by checking - that it's certificate is signed by an acceptable authority. If a valid certificate - has been provided, it can be obtained through the servlet API in an application. - The Acegi X.509 module extracts the certificate using a filter and passes it to the - configured X.509 authentication provider to allow any additional application-specific - checks to be applied. It also maps the certificate to an application user and loads that - user's set of granted authorities for use with the standard Acegi infrastructure. - - You should be familiar with using certificates and setting up client authentication for your - servlet container before attempting to use it with Acegi. Most of the work is in - creating and installing suitable certificates and keys. For example, if you're using Tomcat then - read the instructions here . - It's important that you get this working before trying it out with Acegi. - - - - X.509 with Acegi Security - With X.509 authentication, there is no explicit login procedure so the implementation - is relatively simple; there is no need to redirect requests in order to interact with the - user. As a result, some of the classes behave slightly differently from their equivalents in other packages. - For example, the default entry point class, which is normally responsible for starting the authentication - process, is only invoked if the certificate is rejected and it always returns an error to the user. - With a suitable bean configuration, the normal sequence of events is as follows - - The X509ProcessingFilter extracts the certificate - from the request and uses it as the credentials for an authentication request. The - request is an X509AuthenticationToken. The request is passed to - the authentication manager. - The X509AuthenticationProvider receives - the token. It's main concern is to obtain the user information (in particular the user's - granted authorities) which match the certificate. It delegates this responsibility - to an X509AuthoritiesPopulator.. - The populator's single method, - getUserDetails(X509Certificate userCertificate) is invoked. - Implementations should return a UserDetails instance containing - the set of GrantedAuthority objects for the user. This method can - also choose to reject the certificate (for example if it doesn't contain a matching user name). - It should then throw a BadCredentialsException. A dao-based - implementation DaoX509AuthoritiesPopulator is provided which extracts - the user's name from the subject common name in the certificate. It also allows - you to set your own regular expression to match a different part of the subject distinguished - name. It uses an AuthenticationDao to load the user information. - - - If everything has gone smoothly then there should be a valid - Authentication object in the secure context and the invocation will procede - as normal. If no certificate was found, or the certificate was rejected, then the - SecurityEnforcementFilter will invoke the - X509ProcessingFilterEntryPoint which returns a 403 error to the - user. - - - - - Configuring the X.509 Provider - There is a version of the contacts sample application which uses X.509. - Copy the beans and filter setup from this as a starting point for configuring your own application. - A set of example certificates is also included which you can use to configure your server. These are + X509 Authentication - - marissa.p12 A PKCS12 format file containing the client key and certificate. These should - be installed in your browser. It maps to the user marissa in the application. - server.p12 The server certificate and key for HTTPS connections. - ca.jks A Java keystore containing the certificate for the authority which issued marissa's - certificate. This will be used by the container to validate client certificates. - - - For JBoss 3.2.7 (with Tomcat 5.0), the SSL configuration in the server.xml file looks like this - - <!-- SSL/TLS Connector configuration --> - <Connector port="8443" address="${jboss.bind.address}" - maxThreads="100" minSpareThreads="5" maxSpareThreads="15" - scheme="https" secure="true" - sslProtocol = "TLS" - clientAuth="true" keystoreFile="${jboss.server.home.dir}/conf/server.p12" - keystoreType="PKCS12" keystorePass="password" - truststoreFile="${jboss.server.home.dir}/conf/ca.jks" - truststoreType="JKS" truststorePass="password" - /> - - clientAuth can also be set to want if you still want SSL connections to - succeed even if the client doesn't provide a certificate. Obviously these clients won't be able to access any Acegi-secured - objects. - - - + + Overview + + The most common use of X509 certificate authentication is in + verifying the identity of a server when using SSL, most commonly when + using HTTPS from a browser. The browser will automatically check that + the certificate presented by a server has been issued (ie digitally + signed) by one of a list of trusted certificate authorities which it + maintains. + + You can also use SSL with mutual authentication; + the server will then request a valid certificate from the client as + part of the SSL handshake. The server will authenticate the client by + checking that it's certificate is signed by an acceptable authority. + If a valid certificate has been provided, it can be obtained through + the servlet API in an application. The Acegi Security X509 module + extracts the certificate using a filter and passes it to the + configured X509 authentication provider to allow any additional + application-specific checks to be applied. It also maps the + certificate to an application user and loads that user's set of + granted authorities for use with the standard Acegi Security + infrastructure. + + You should be familiar with using certificates and setting up + client authentication for your servlet container before attempting to + use it with Acegi Security. Most of the work is in creating and + installing suitable certificates and keys. For example, if you're + using Tomcat then read the instructions here . + It's important that you get this working before trying it out with + Acegi Security. + + + + X509 with Acegi Security + + With X509 authentication, there is no explicit login procedure + so the implementation is relatively simple; there is no need to + redirect requests in order to interact with the user. As a result, + some of the classes behave slightly differently from their equivalents + in other packages. For example, the default entry point + class, which is normally responsible for starting the authentication + process, is only invoked if the certificate is rejected and it always + returns an error to the user. With a suitable bean configuration, the + normal sequence of events is as follows + + + + The X509ProcessingFilter extracts + the certificate from the request and uses it as the credentials + for an authentication request. The generated authentication + request is an X509AuthenticationToken. + The request is passed to the authentication manager. + + + + + + The X509AuthenticationProvider + receives the token. Its main concern is to obtain the user + information (in particular the user's granted authorities) that + matches the certificate. It delegates this responsibility to an + X509AuthoritiesPopulator. + + + . + + + The populator's single method, + getUserDetails(X509Certificate + userCertificate) is invoked. Implementations should + return a UserDetails instance containing + the array of GrantedAuthority objects for + the user. This method can also choose to reject the certificate + (for example if it doesn't contain a matching user name). In + such cases it should throw a + BadCredentialsException. A + DAO-based implementation, + DaoX509AuthoritiesPopulator, is provided + which extracts the user's name from the subject common + name (CN) in the certificate. It also allows you to set + your own regular expression to match a different part of the + subject's distinguished name. An + AuthenticationDao is used to load the + user information. + + + + + + If everything has gone smoothly then there should be a + valid Authentication object in the secure + context and the invocation will procede as normal. If no + certificate was found, or the certificate was rejected, then the + SecurityEnforcementFilter will invoke the + X509ProcessingFilterEntryPoint which + returns a 403 error (forbidden) to the user. + + + + + + + + Configuring the X509 Provider + + There is a version of the contacts sample application which + uses X509. Copy the beans and filter setup from this as a starting + point for configuring your own application. A set of example + certificates is also included which you can use to configure your + server. These are + + marissa.p12: A PKCS12 format file + containing the client key and certificate. These should be + installed in your browser. It maps to the user + marissa in the application. + + + + server.p12: The server certificate + and key for HTTPS connections. + + + + ca.jks: A Java keystore containing + the certificate for the authority which issued marissa's + certificate. This will be used by the container to validate + client certificates. + + For JBoss 3.2.7 (with Tomcat 5.0), the SSL + configuration in the server.xml file looks like + this <!-- SSL/TLS Connector configuration --> +<Connector port="8443" address="${jboss.bind.address}" + maxThreads="100" minSpareThreads="5" maxSpareThreads="15" + scheme="https" secure="true" + sslProtocol = "TLS" + clientAuth="true" keystoreFile="${jboss.server.home.dir}/conf/server.p12" + keystoreType="PKCS12" keystorePass="password" + truststoreFile="${jboss.server.home.dir}/conf/ca.jks" + truststoreType="JKS" truststorePass="password" +/>clientAuth can also be set to + want if you still want SSL connections to + succeed even if the client doesn't provide a certificate. Obviously + these clients won't be able to access any objects secured by Acegi + Security (unless you use a non-X509 authentication mechanism, such as + BASIC authentication, to authenticate the user). + - + Channel Security