org.dspace.authenticate
Class X509Authentication

java.lang.Object
  extended by org.dspace.authenticate.X509Authentication
All Implemented Interfaces:
AuthenticationMethod

public class X509Authentication
extends Object
implements AuthenticationMethod

Implicit authentication method that gets credentials from the X.509 client certificate supplied by the HTTPS client when connecting to this server. The email address in that certificate is taken as the authenticated user name with no further checking, so be sure your HTTP server (e.g. Tomcat) is configured correctly to accept only client certificates it can validate.

See the AuthenticationMethod interface for more details.

Configuration:

   authentication.x509.keystore.path =
 
 path to Java keystore file
 
   authentication.x509.keystore.password =
 
 password to access the keystore
 
   authentication.x509.ca.cert =
 
 path to certificate file for CA whose client certs to accept.
 
   authentication.x509.autoregister =
 
 "true" if E-Person is created automatically for unknown new users.
 
   authentication.x509.groups = 
 
 comma-delimited list of special groups to add user to if authenticated.
 
   authentication.x509.emaildomain = 
 
 email address domain (after the 'at' symbol) to match before allowing 
 membership in special groups.
 
 
Only one of the "keystore.path" or "ca.cert" options is required. If you supply a keystore, then all of the "trusted" certificates in the keystore represent CAs whose client certificates will be accepted. The ca.cert option only allows a single CA to be named.

You can configure both a keystore and a CA cert, and both will be used.

The autoregister configuration parameter determines what the canSelfRegister() method returns. It also allows an EPerson record to be created automatically when the presented certificate is acceptable but there is no corresponding EPerson.

Version:
$Revision: 4637 $
Author:
Larry Stone

Field Summary
 
Fields inherited from interface org.dspace.authenticate.AuthenticationMethod
BAD_ARGS, BAD_CREDENTIALS, CERT_REQUIRED, NO_SUCH_USER, SUCCESS
 
Constructor Summary
X509Authentication()
           
 
Method Summary
 boolean allowSetPassword(Context context, javax.servlet.http.HttpServletRequest request, String username)
          We don't use EPerson password so there is no reason to change it.
 int authenticate(Context context, String username, String password, String realm, javax.servlet.http.HttpServletRequest request)
          X509 certificate authentication.
 boolean canSelfRegister(Context context, javax.servlet.http.HttpServletRequest request, String username)
          Predicate, can new user automatically create EPerson.
 int[] getSpecialGroups(Context context, javax.servlet.http.HttpServletRequest request)
          Return special groups configured in dspace.cfg for X509 certificate authentication.
 void initEPerson(Context context, javax.servlet.http.HttpServletRequest request, EPerson eperson)
          Nothing extra to initialize.
 boolean isImplicit()
          Returns true, this is an implicit method.
 String loginPageTitle(Context context)
          Returns message key for title of the "login" page, to use in a menu showing the choice of multiple login methods.
 String loginPageURL(Context context, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Returns URL of password-login servlet.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

X509Authentication

public X509Authentication()
Method Detail

canSelfRegister

public boolean canSelfRegister(Context context,
                               javax.servlet.http.HttpServletRequest request,
                               String username)
                        throws SQLException
Predicate, can new user automatically create EPerson. Checks configuration value. You'll probably want this to be true to take advantage of a Web certificate infrastructure with many more users than are already known by DSpace.

Specified by:
canSelfRegister in interface AuthenticationMethod
Parameters:
context - DSpace context
request - HTTP request, in case it's needed. May be null.
username - Username, if available. May be null.
Returns:
true if new ePerson should be created.
Throws:
SQLException

initEPerson

public void initEPerson(Context context,
                        javax.servlet.http.HttpServletRequest request,
                        EPerson eperson)
                 throws SQLException
Nothing extra to initialize.

Specified by:
initEPerson in interface AuthenticationMethod
Parameters:
context - DSpace context
request - HTTP request, in case it's needed. May be null.
eperson - newly created EPerson record - email + information from the registration form will have been filled out.
Throws:
SQLException

allowSetPassword

public boolean allowSetPassword(Context context,
                                javax.servlet.http.HttpServletRequest request,
                                String username)
                         throws SQLException
We don't use EPerson password so there is no reason to change it.

Specified by:
allowSetPassword in interface AuthenticationMethod
Parameters:
context - DSpace context
request - HTTP request, in case it's needed. May be null.
username - Username, if available. May be null.
Returns:
true if this method allows user to change ePerson password.
Throws:
SQLException

isImplicit

public boolean isImplicit()
Returns true, this is an implicit method.

Specified by:
isImplicit in interface AuthenticationMethod
Returns:
true if this method uses implicit authentication.

getSpecialGroups

public int[] getSpecialGroups(Context context,
                              javax.servlet.http.HttpServletRequest request)
                       throws SQLException
Return special groups configured in dspace.cfg for X509 certificate authentication.

Specified by:
getSpecialGroups in interface AuthenticationMethod
Parameters:
Context -
HttpServletRequest - object potentially containing the cert
Returns:
An int array of group IDs
Throws:
SQLException

authenticate

public int authenticate(Context context,
                        String username,
                        String password,
                        String realm,
                        javax.servlet.http.HttpServletRequest request)
                 throws SQLException
X509 certificate authentication. The client certificate is obtained from the ServletRequest object.

Specified by:
authenticate in interface AuthenticationMethod
Parameters:
context - DSpace context, will be modified (ePerson set) upon success.
username - Username (or email address) when method is explicit. Use null for implicit method.
password - Password for explicit auth, or null for implicit method.
realm - Realm is an extra parameter used by some authentication methods, leave null if not applicable.
request - The HTTP request that started this operation, or null if not applicable.
Returns:
One of: SUCCESS, BAD_CREDENTIALS, NO_SUCH_USER, BAD_ARGS
Throws:
SQLException

loginPageURL

public String loginPageURL(Context context,
                           javax.servlet.http.HttpServletRequest request,
                           javax.servlet.http.HttpServletResponse response)
Returns URL of password-login servlet.

Specified by:
loginPageURL in interface AuthenticationMethod
Parameters:
context - DSpace context, will be modified (EPerson set) upon success.
request - The HTTP request that started this operation, or null if not applicable.
response - The HTTP response from the servlet method.
Returns:
fully-qualified URL

loginPageTitle

public String loginPageTitle(Context context)
Returns message key for title of the "login" page, to use in a menu showing the choice of multiple login methods.

Specified by:
loginPageTitle in interface AuthenticationMethod
Parameters:
context - DSpace context, will be modified (EPerson set) upon success.
Returns:
Message key to look up in i18n message catalog.


Copyright © 2010 DuraSpace. All Rights Reserved.