org.restlet.security

Class CertificateAuthenticator

java.lang.Object

org.restlet.Restlet

org.restlet.routing.Filter

org.restlet.security.Authenticator

org.restlet.security.CertificateAuthenticator

All Implemented Interfaces:

Uniform

public class CertificateAuthenticator
extends Authenticator

Authenticator based on the SSL client certificate. If a client certificate is presented, and accepted by your SSL certificate truststore, it adds the Principal of its subject to the list of principals in the request's ClientInfo. It also sets the user to be a new User based on this Principal. getPrincipals(List) and getUser(Principal) can be overridden to change the default behavior.

Author:

Bruno Harbulot (bruno/distributedmatter.net)

Field Summary

Fields inherited from class org.restlet.routing.Filter

CONTINUE, SKIP, STOP

Constructor Summary

Constructors

Constructor and Description
CertificateAuthenticator(Context context)

Method Summary

Modifier and Type	Method and Description
protected boolean	authenticate(Request request, Response response) Authenticates the call using the X.509 client certificate.
protected java.util.List<java.security.Principal>	getPrincipals(java.util.List<java.security.cert.Certificate> certificateChain) Extracts the Principal of the subject to use from a chain of certificate.
protected User	getUser(java.security.Principal principal) Creates a new User based on the subject's X500Principal.

Methods inherited from class org.restlet.security.Authenticator

authenticated, beforeHandle, getEnroler, isMultiAuthenticating, isOptional, setEnroler, setMultiAuthenticating, setOptional, unauthenticated

Methods inherited from class org.restlet.routing.Filter

afterHandle, doHandle, getNext, handle, hasNext, setNext, setNext, start, stop

Methods inherited from class org.restlet.Restlet

createFinder, finalize, getApplication, getAuthor, getContext, getDescription, getFinderClass, getLogger, getName, getOwner, handle, handle, handle, isStarted, isStopped, setAuthor, setContext, setDescription, setFinderClass, setName, setOwner

Methods inherited from class java.lang.Object

clone, equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CertificateAuthenticator

public CertificateAuthenticator(Context context)

Parameters:

context -

Method Detail

getPrincipals

protected java.util.List<java.security.Principal> getPrincipals(java.util.List<java.security.cert.Certificate> certificateChain)

Extracts the Principal of the subject to use from a chain of certificate. By default, this is the X500Principal of the subject subject of the first certificate in the chain.

Parameters:

certificateChain - chain of client certificates.

Returns:

Principal of the client certificate or null if the chain is empty.

See Also:

X509Certificate, X500Principal

getUser

protected User getUser(java.security.Principal principal)

Creates a new User based on the subject's X500Principal. By default, the user name is the subject distinguished name, formatted accorded to RFC 2253. Some may choose to extract the Common Name only, for example.

Parameters:

principal - subject's Principal (most likely X500Principal).

Returns:

User instance corresponding to this principal or null.

authenticate

protected boolean authenticate(Request request,
                               Response response)

Authenticates the call using the X.509 client certificate. The verification of the credentials is normally done by the SSL layer, via the TrustManagers. It uses the certificate chain in the request's "org.restlet.https.clientCertificates" attribute, adds the principal returned from this chain by getPrincipals(List) to the request's ClientInfo and set the user to the result of getUser(Principal) if that user is non-null. If no client certificate is available, then a 401 status is set.

Specified by:

authenticate in class Authenticator

Parameters:

request - The request sent.

response - The response to update.

Returns:

True if the authentication succeeded.