Changeset 1118

Timestamp:

2009-03-05 13:09:02 (4 years ago)

Author:

bruno

Message:

Security: add an authentication mechanism for Belgian eID.

Since this is just a case of ssl client authentication, it is essentially a matter of web server configuration and redirecting to a https URL. To make it somewhat nicer, before redirecting you can optionally show a page to the user.
To map the certificate to a user (principal) in your application, an BelgianEidPrincipalExtractor? interface is available.
Added a sample to kauri-security-sample, which should be readily usable as the HTTPS connector is enabled for this sample, and a keystore with a self-signed certificate for "localhost" is included. The keystore also contains the Belgium Root CA/CA2 certificates.

TODO:

checking of certificates for revocation (note that since the authentication mechanism runs on each request, there should be some caching applied)
see if it is possible to make this work with the Fedict's 'authentication reverse proxy' too
a limitation of HTTPS with Jetty (possibly Java?) is that you can only enable client certification for the complete domain:port, and not for subpaths within it.

Location:

trunk

Files:

trunk/modules/kauri-security/kauri-security-providers/pom.xml

-                      r1100
+                      r1118
       <groupId>org.kauriproject</groupId>
       <artifactId>kauri-security-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.kauriproject</groupId>
+      <artifactId>kauri-restlet-util</artifactId>
     </dependency>
     <dependency>

-                      r1109
+                      r1118
     </realm>
+    <!-- Belgian eID sample -->
+    <realm name="realm6">
+      <authenticationMechanisms>
+        <authenticationMechanism moduleId="samples.security" beanId="beidAuthMechanism"/>
+      </authenticationMechanisms>
+      <authenticationManager moduleId="samples.security" beanId="authenticationManager"/>
+      <accessDecisionManager moduleId="samples.security" beanId="accessDecisionManager"/>
+      <protect module="samples.security" restservice="main">
+        <protect path="/realm6/**" access="ROLE_USER"/>
+      </protect>
+    </realm>
   </realms>
 </auth>

-                      r1116
+                      r1118
       <li><a href="logout2">Logout (from realm 5)</a></li>
     </ul>
+    <h3>Realm 6: Belgian eID</h3>
+    <p>Illustrates Belgian eID authentication, which is a case of https with client certificates,
+      whereby the user's private key is stored on a smart card.</p>
+    <p>To use this sample, you need to have a Belgian eID card, a smart cart reader, and
+      <a href="http://eid.belgium.be">follow the installation instructions</a>. You will need
+    to accept the server's (= localhost) self-signed certificate.</p>
+    <ul>
+      <li><a href="realm6/eid.html">eID protected page</a></li>
+    </ul>
   </t:block>
 </html>

-                      r1115
+                      r1118
   </bean>
+  <bean id="beidAuthMechanism" class="org.kauriproject.security.providers.BelgianEidAuthenticationMechanism">
+    <property name="principalExtractor" ref="beidPrincipalExtractor"/>
+    <property name="httpsPort" value="8443"/> <!-- See also the port number in connectors.xml -->
+    <property name="challengePage" value="service:/main/belgian_eid_infopage.html"/>
+    <property name="restletContext" ref="restletContext"/>
+  </bean>
+  <bean id="beidPrincipalExtractor" class="org.kauriproject.samples.security.SampleBelgianEidPrincipalExtractor"/>
 </beans>

Note: See TracChangeset for help on using the changeset viewer.