jax-rs-spec
  1. jax-rs-spec
  2. JAX_RS_SPEC-43

Provide method to access X509 client certificates

    Details

    • Type: Improvement Improvement
    • Status: Open
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Affects Version/s: 2.1
    • Fix Version/s: ice box
    • Component/s: None
    • Labels:
      None
    • Environment:

      Operating System: All
      Platform: All

    • Issuezilla Id:
      100

      Description

      JAX-RS should provide a way to access an X509 certificate of the client.
      Currently it seems only possible with a Servlet-Based implementation to access
      this.

      see https://jsr311.dev.java.net/servlets/ReadMsg?list=users&msgNo=1068

        Activity

        Hide
        rebach added a comment -

        Maybe this could just use @Inject on a argument or field of type X509Certificate[]

        Show
        rebach added a comment - Maybe this could just use @Inject on a argument or field of type X509Certificate[]
        Hide
        bblfish added a comment -

        The orginal thread has been lost above. It can be found here now
        http://java.net/nonav/projects/jsr311/lists/users/archive/2010-06/message/1

        The reason why this is needed is that
        1. Not all web servers are Servlet Based.
        2. The Servlet Based solution is more of a bad hack than anything else
        Just for reference, this is the current standard solution:

        X509Certificate[] certificates = (X509Certificate[]) request
        .getAttribute("javax.servlet.request.X509Certificate");

        That is very opaque.

        Show
        bblfish added a comment - The orginal thread has been lost above. It can be found here now http://java.net/nonav/projects/jsr311/lists/users/archive/2010-06/message/1 The reason why this is needed is that 1. Not all web servers are Servlet Based. 2. The Servlet Based solution is more of a bad hack than anything else Just for reference, this is the current standard solution: X509Certificate[] certificates = (X509Certificate[]) request .getAttribute("javax.servlet.request.X509Certificate"); That is very opaque.
        Hide
        bblfish added a comment -

        Perhaps the correct solution is to get the authentication layer to place the X509 certificate in the Subject, as explained in the JAAS Guide
        http://download.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html#Subject

        This is what we did at the Clerezza incubator project. The FoafSslAuthentication class creates a new subject with a wrapped X509Claim.

        https://svn.apache.org/repos/asf/incubator/clerezza/trunk/parent/platform.security.foafssl/core/src/main/scala/org/apache/clerezza/foafssl/auth/FoafSslAuthentication.scala

        Then this can be called everywhere because the subject is always associated with the thread of execution, as in this class

        https://svn.apache.org/repos/asf/incubator/clerezza/trunk/parent/platform.security.foafssl/test/src/main/scala/org/apache/clerezza/foafssl/test/WebIDTester.scala

        where getSubject just is the code

        public static Subject getSubject(final AccessControlContext context) {
        Subject subject;
        try {
        subject = AccessController.doPrivileged(new PrivilegedExceptionAction<Subject>() {

        @Override
        public Subject run() throws Exception

        { return Subject.getSubject(context); }

        });
        } catch (PrivilegedActionException ex) {
        Exception cause = (Exception)ex.getCause();
        if (cause instanceof RuntimeException)

        { throw (RuntimeException) cause; }

        throw new RuntimeException(cause);
        }
        return subject;
        }

        and the context can be got with the static java method AccessController.getContext()

        Show
        bblfish added a comment - Perhaps the correct solution is to get the authentication layer to place the X509 certificate in the Subject, as explained in the JAAS Guide http://download.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html#Subject This is what we did at the Clerezza incubator project. The FoafSslAuthentication class creates a new subject with a wrapped X509Claim. https://svn.apache.org/repos/asf/incubator/clerezza/trunk/parent/platform.security.foafssl/core/src/main/scala/org/apache/clerezza/foafssl/auth/FoafSslAuthentication.scala Then this can be called everywhere because the subject is always associated with the thread of execution, as in this class https://svn.apache.org/repos/asf/incubator/clerezza/trunk/parent/platform.security.foafssl/test/src/main/scala/org/apache/clerezza/foafssl/test/WebIDTester.scala where getSubject just is the code public static Subject getSubject(final AccessControlContext context) { Subject subject; try { subject = AccessController.doPrivileged(new PrivilegedExceptionAction<Subject>() { @Override public Subject run() throws Exception { return Subject.getSubject(context); } }); } catch (PrivilegedActionException ex) { Exception cause = (Exception)ex.getCause(); if (cause instanceof RuntimeException) { throw (RuntimeException) cause; } throw new RuntimeException(cause); } return subject; } and the context can be got with the static java method AccessController.getContext()
        Hide
        bblfish added a comment -

        this was discussed on the Clerezza list here https://issues.apache.org/jira/browse/CLEREZZA-481

        Show
        bblfish added a comment - this was discussed on the Clerezza list here https://issues.apache.org/jira/browse/CLEREZZA-481
        Hide
        Santiago Pericas-Geertsen added a comment -

        Authentication and related topics have been pushed to MR. Moving to ice box.

        Show
        Santiago Pericas-Geertsen added a comment - Authentication and related topics have been pushed to MR. Moving to ice box.
        Hide
        rebach added a comment -

        Not sure what "pushed to MR" means. But while I trhink that specifying "authentication and related topics" is not something in any way urgent for JAX-RS giving ways to access all the relevant information of a request in a JAX-RS application is indeed urgent. Requiring application to fall back to the servlet level defeats the purpose of having a higher level of abstraction. Also standardizing this seems neither complicated nor implying major architectural choices.

        X509Certificate[] certificates = request.getX509Certificates();

        would do the trick.

        Show
        rebach added a comment - Not sure what "pushed to MR" means. But while I trhink that specifying "authentication and related topics" is not something in any way urgent for JAX-RS giving ways to access all the relevant information of a request in a JAX-RS application is indeed urgent. Requiring application to fall back to the servlet level defeats the purpose of having a higher level of abstraction. Also standardizing this seems neither complicated nor implying major architectural choices. X509Certificate[] certificates = request.getX509Certificates(); would do the trick.

          People

          • Assignee:
            Unassigned
            Reporter:
            rebach
          • Votes:
            1 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated: