org.restlet.ext.ssl
Class CertificateAuthenticator

java.lang.Object
  extended by org.restlet.Restlet
      extended by org.restlet.routing.Filter
          extended by org.restlet.security.Authenticator
              extended by org.restlet.ext.ssl.CertificateAuthenticator
All Implemented Interfaces:
Uniform

public class CertificateAuthenticator
extends Authenticator

Authenticator based on the SSL client certificate. If a client certificate is presented, and accepted by your SSL certificate truststore, it adds the Principal of its subject to the list of principals in the request's ClientInfo. It also sets the user to be a new User based on this Principal. #getPrincipal(List) and getUser(Principal) can be overridden to change the default behavior.

Author:
Bruno Harbulot (bruno/distributedmatter.net)

Field Summary
 
Fields inherited from class org.restlet.routing.Filter
CONTINUE, SKIP, STOP
 
Constructor Summary
CertificateAuthenticator(Context context)
           
 
Method Summary
protected  boolean authenticate(Request request, Response response)
          Authenticates the call using the X.509 client certificate.
protected  List<Principal> getPrincipals(List<Certificate> certificateChain)
          Extracts the Principal of the subject to use from a chain of certificate.
protected  User getUser(Principal principal)
          Creates a new User based on the subject's X500Principal.
 
Methods inherited from class org.restlet.security.Authenticator
authenticated, beforeHandle, getEnroler, isMultiAuthenticating, isOptional, setEnroler, setMultiAuthenticating, setOptional, unauthenticated
 
Methods inherited from class org.restlet.routing.Filter
afterHandle, doHandle, getNext, handle, hasNext, setNext, setNext, start, stop
 
Methods inherited from class org.restlet.Restlet
createFinder, finalize, getApplication, getAuthor, getContext, getDescription, getFinderClass, getLogger, getName, getOwner, handle, handle, handle, isStarted, isStopped, setAuthor, setContext, setDescription, setFinderClass, setName, setOwner
 
Methods inherited from class java.lang.Object
clone, equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

CertificateAuthenticator

public CertificateAuthenticator(Context context)
Parameters:
context -
Method Detail

getPrincipals

protected List<Principal> getPrincipals(List<Certificate> certificateChain)
Extracts the Principal of the subject to use from a chain of certificate. By default, this is the X500Principal of the subject subject of the first certificate in the chain.

Parameters:
certificateChain - chain of client certificates.
Returns:
Principal of the client certificate or null if the chain is empty.
See Also:
X509Certificate, X500Principal

getUser

protected User getUser(Principal principal)
Creates a new User based on the subject's X500Principal. By default, the user name is the subject distinguished name, formatted accorded to RFC 2253. Some may choose to extract the Common Name only, for example.

Parameters:
principal - subject's Principal (most likely X500Principal).
Returns:
User instance corresponding to this principal or null.

authenticate

protected boolean authenticate(Request request,
                               Response response)
Authenticates the call using the X.509 client certificate. The verification of the credentials is normally done by the SSL layer, via the TrustManagers. It uses the certificate chain in the request's "org.restlet.https.clientCertificates" attribute, adds the principal returned from this chain by #getPrincipal(List) to the request's ClientInfo and set the user to the result of getUser(Principal) if that user is non-null. If no client certificate is available, then a 401 status is set.

Specified by:
authenticate in class Authenticator


Copyright © 2005-2013 Restlet.