patch for single sign-on using SSL client certificates

Hi, we are using SSL with client certificate authentication to all our 
web-pages. Naturally using this one would like to authenticate the users with 
the certificate instead of username/password. So I hacked up a small patch to 
snipsnap that will grab the username from the authenticated certificate and use 
that. The user still has to be registered as a snipsnap user off-course, but 
he/she is automagically logged in when going to snipsnap.

The essence of my patch in DefaultSessionService is below.

Is the snipsnap authors/community interested in such a patch in the real 
snipsnap distribution?

Cheers,
Tomas

     /**
    * Get user from session or cookie.
    */
   public User getUser(HttpServletRequest request, HttpServletResponse response) {
     HttpSession session = request.getSession();
     User user = (User) session.getAttribute(ATT_USER);
     String appOid = (String)Application.get().getObject(Application.OID);
     if (null != user && !appOid.equals(user.getApplication())) {
       user = null;
     }
     if (user == null) {
	    // Part for authenticating users with X509Certificates. If the user have a 
trusted client certificate
	    // he can get access to the server. Since the certificate is trusted 

Re: patch for single sign-on using SSL client certificates

Hi,

this is great. I will patch it in as soon as I find the time to.  
Adding Basic Auth would probably be a good idea too.

Leo.

On 08.12.2005, at 14:17, Tomas Gustavsson wrote:

>
> Hi, we are using SSL with client certificate authentication to all  
> our web-pages. Naturally using this one would like to authenticate  
> the users with the certificate instead of username/password. So I  
> hacked up a small patch to snipsnap that will grab the username  
> from the authenticated certificate and use that. The user still has  
> to be registered as a snipsnap user off-course, but he/she is  
> automagically logged in when going to snipsnap.
>
> The essence of my patch in DefaultSessionService is below.
>
> Is the snipsnap authors/community interested in such a patch in the  
> real snipsnap distribution?
>
> Cheers,
> Tomas
>
>     /**
>    * Get user from session or cookie.
>    */
>   public User getUser(HttpServletRequest request,  

graph-snipsnap.jar sources

As the statement says, are the sources for the graph
module available? I'm interested in them to provide
a pure java class diagram rendering for UMLGraph
(see http://www.spinellis.gr/sw/umlgraph/), but I'm
worried it's a closed source and non-maintained package.

Best regards
Andrea Aiime

Re: graph-snipsnap.jar sources

It is here: http://snipforge.org/svn/snipsnap/snipsnap-graph-macro/

Check out the trunk, if you decide to maintain it I will add you as a  
committer.

Leo.

On 11.12.2005, at 23:24, Andrea aime wrote:

> As the statement says, are the sources for the graph
> module available? I'm interested in them to provide
> a pure java class diagram rendering for UMLGraph
> (see http://www.spinellis.gr/sw/umlgraph/), but I'm
> worried it's a closed source and non-maintained package.
>
> Best regards
> Andrea Aiime

--
Matthias L. Jugel -- matthias.jugel <at> first.fraunhofer.de
Telephone +49 30 6392 1822, Fax +49 30 6392 1805
There are two kinds of fool, on says "This is old and there-
fore good", and one says "This is new and therefore better".

_______________________________________________
SnipSnap-Users Mailing List
snipsnap-users <at> snipsnap.org | http://snipsnap.org/

Re: graph-snipsnap.jar sources

Matthias L. Jugel wrote:
> It is here: http://snipforge.org/svn/snipsnap/snipsnap-graph-macro/
> 
> Check out the trunk, if you decide to maintain it I will add you as a  
> committer.

Aaah, thank you. That make me feel a lot better about performing the
changes needed for UMLGraph (since now the output in the ".dot" format
required by graphviz is hardcoded). About maintainership, does this mean
the package is unmantained at the moment? I'll think about it, but at
the moment I alreay have two open source project under my belt (JBClipse,
UMLGraph), and besides, I'm not too familiar with graph layout techniques
(I've implemented the Sujiyama layout once, but it's trivial...)

Best regards
Andrea Aime

snipsnap and ssl-certificate single sign-on again

Hi,
Unforturnately I found a small bug in my code that I sent as a patch earlier. It 
  was a simple null check that was missing.

Here is the relevant code snippet in DefaultSessionService.getUser(). The 
changed part from the complete patch is only the last null check.

Cheers,
Tomas

-----
     if (user == null) {
	    // Part for authenticating users with X509Certificates. If the user have a 
trusted client certificate
	    // he can get access to the server. Since the certificate is trusted 
already, by java/jsse, we don't
	    // have to verify it here.
	    // If the CA puts the users uid in the DN we can use that as login.
	
	    // Check if we have a user in the certificate authentication
	    X509Certificate[] certs = 
(X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");
	    if (certs != null) {
		    X509Certificate clientCert = certs[0];
		    if (clientCert != null) {
			    // Get the Distinguised Name for the user.
			    java.security.Principal userDN = clientCert.getSubjectDN();
			    String dn = userDN.toString();
			    // Get uid, which is the username we will use
			    String uid = getPartFromDN(dn, "UID");

Re: patch for single sign-on using SSL client certificates

Hmm, I got a bounce. lets try again. This was sent before the last patch.fix I 
sent today...

-----
Here is the full patch against 1.0b2 attached.

 From within /snipsnap-1.0b2-uttoxeter you should be able apply it with:
patch --strip=0 -u < snipsnap-patch.txt

Snipsnap is great software!

Cheers,
Tomas Gustavsson
http://ejbca.org/

diff -urN ../snipsnap-1.0b2-uttoxeter/src/org/snipsnap/container/DefaultSessionService.java ./src/org/snipsnap/container/DefaultSessionService.java
--- ../snipsnap-1.0b2-uttoxeter/src/org/snipsnap/container/DefaultSessionService.java	Tue
Nov 15 12:43:16 2005
+++ ./src/org/snipsnap/container/DefaultSessionService.java	Thu Dec  8 13:50:11 2005
@@ -34,6 +34,8 @@
 import org.snipsnap.user.AuthenticationService;
 import org.snipsnap.user.Digest;
 import org.snipsnap.user.User;
+import org.snipsnap.user.AuthenticationService;
+import org.snipsnap.util.X509NameTokenizer;

 import javax.servlet.http.Cookie;

__X__ __X__ __X__

Shouldn't

	__X__ __X__ __X__

Give me three bold X's?

I seem to get

	X __X__ X

where the outer two X's are bold and the inner one is plain.

I can get round it by escaping the spaces:

	__X__\ __X__\ __X__

but it's not clear why. (Sorry if this has been covered already.)

	-- N.

   nick rothwell -- composition, systems, performance -- http:// 
www.cassiel.com

Q? can most-recent-first comments in a snip?

_______________________________________________
SnipSnap-Users Mailing List
snipsnap-users <at> snipsnap.org | http://snipsnap.org/
http://snipforge.org/cgi-bin/mailman/listinfo/snipsnap-users