S
Silva
My problem is:
Getting the username from a client certificate. The getRemoteUser()
returns null.
The components of my solution are:
- Web server i-planet
- Websphere Application Server v6.1
- Websphere plugin for web server
The solution that i'm trying to create is the following:
- Authentication with client certificate
- The certificate is caring in the subject the email from with I
get the username
- The certificate (and his username) must be authenticated in the
web server under LDAP repository
- I don't intent to install the public side of the certificate in
the keystore of websphere (it must be only in the iPlanet web server)
- I wanna get in the request the username of the certificate (with
the method getRemoteUser() ) after is considerated valid by the
iPlanet.
I've made several configurations to test the solution and i get this
interessant result:
- If i turn off the application security, the username of the
certificate is returned by the function request.getRemoteUser().
But this is not a solution because i need the security turned on to
allows the authentication in the Active Directory.
The configuration that i thing need to make my solution work is:
- Application security of websphere turn on
- Don't add any security constraint (or I will need to map roles to
users and groups)
What i thing is appening:
- The information of the username, connected in the network by
Windows, is sent by the browser.
- In the webserver, after the information is validated, adds the
information of the certificate.
(with security constraint)
- When the information is received in the webserver he will validate
that the user comes from Windows connected in the Active Directory and
gives in as valid;
(without security constraint)
- The function getRemoteUser() returns null just like is descrived in
the page 106 of Redbook Websphere Security Handbook.
The answer the my problem is:
- In your hands... Maybe if i use two authentication repositories and
i get a way to say witch username i can use first and witch repository
will validate him... i've no idea!
Getting the username from a client certificate. The getRemoteUser()
returns null.
The components of my solution are:
- Web server i-planet
- Websphere Application Server v6.1
- Websphere plugin for web server
The solution that i'm trying to create is the following:
- Authentication with client certificate
- The certificate is caring in the subject the email from with I
get the username
- The certificate (and his username) must be authenticated in the
web server under LDAP repository
- I don't intent to install the public side of the certificate in
the keystore of websphere (it must be only in the iPlanet web server)
- I wanna get in the request the username of the certificate (with
the method getRemoteUser() ) after is considerated valid by the
iPlanet.
I've made several configurations to test the solution and i get this
interessant result:
- If i turn off the application security, the username of the
certificate is returned by the function request.getRemoteUser().
But this is not a solution because i need the security turned on to
allows the authentication in the Active Directory.
The configuration that i thing need to make my solution work is:
- Application security of websphere turn on
- Don't add any security constraint (or I will need to map roles to
users and groups)
What i thing is appening:
- The information of the username, connected in the network by
Windows, is sent by the browser.
- In the webserver, after the information is validated, adds the
information of the certificate.
(with security constraint)
- When the information is received in the webserver he will validate
that the user comes from Windows connected in the Active Directory and
gives in as valid;
(without security constraint)
- The function getRemoteUser() returns null just like is descrived in
the page 106 of Redbook Websphere Security Handbook.
The answer the my problem is:
- In your hands... Maybe if i use two authentication repositories and
i get a way to say witch username i can use first and witch repository
will validate him... i've no idea!