org.restlet.ext.ssl
Class CertificateAuthenticator
java.lang.Object
org.restlet.Restlet
org.restlet.routing.Filter
org.restlet.security.Authenticator
org.restlet.ext.ssl.CertificateAuthenticator
- All Implemented Interfaces:
- Uniform
public class CertificateAuthenticator
- extends Authenticator
Authenticator based on the SSL client certificate. If a client certificate is
presented, and accepted by your SSL certificate truststore, it adds the
Principal of its subject to the list of principals in the request's
ClientInfo. It also sets the user to be a new User based on this Principal.
#getPrincipal(List)
and getUser(Principal)
can be overridden
to change the default behavior.
- Author:
- Bruno Harbulot (bruno/distributedmatter.net)
Methods inherited from class org.restlet.Restlet |
createFinder, finalize, getApplication, getAuthor, getContext, getDescription, getFinderClass, getLogger, getName, getOwner, handle, handle, handle, isStarted, isStopped, setAuthor, setContext, setDescription, setFinderClass, setName, setOwner |
CertificateAuthenticator
public CertificateAuthenticator(Context context)
- Parameters:
context
-
getPrincipals
protected List<Principal> getPrincipals(List<Certificate> certificateChain)
- Extracts the Principal of the subject to use from a chain of certificate.
By default, this is the X500Principal of the subject subject of the first
certificate in the chain.
- Parameters:
certificateChain
- chain of client certificates.
- Returns:
- Principal of the client certificate or null if the chain is
empty.
- See Also:
X509Certificate
,
X500Principal
getUser
protected User getUser(Principal principal)
- Creates a new User based on the subject's X500Principal. By default, the
user name is the subject distinguished name, formatted accorded to RFC
2253. Some may choose to extract the Common Name only, for example.
- Parameters:
principal
- subject's Principal (most likely X500Principal).
- Returns:
- User instance corresponding to this principal or null.
authenticate
protected boolean authenticate(Request request,
Response response)
- Authenticates the call using the X.509 client certificate. The
verification of the credentials is normally done by the SSL layer, via
the TrustManagers.
It uses the certificate chain in the request's
"org.restlet.https.clientCertificates" attribute, adds the principal
returned from this chain by
#getPrincipal(List)
to the request's
ClientInfo and set the user to the result of getUser(Principal)
if that user is non-null.
If no client certificate is available, then a 401 status is set.
- Specified by:
authenticate
in class Authenticator
Copyright © 2005-2013 Restlet.