CRLLoginModule
description
This loginModule permits an authentication for your web application based on X509 certificates: it validates their certPath, and checks if some of them are revoked against a CRL (Certificate Revocation List) which lists certificates that has been revoked by the Certificate Authority(CA) before their scheduled expiration date. Note this certificate validation mechanism is not based on real-time mechanism: the accuracy of this mechanism is based on the CRL generation frequency of the Certificate Authority.General parameters
parameters comes from the PKIXParameters java class: parameters description comes from the JDK's javadoc.| name | mandatory | values | description |
|---|---|---|---|
| debug | no | ||
| certPathAnyPolicyInhibited | no | true or false.default is false | Sets state to determine if the any policy OID should be processed if it is included in a certificate |
| certPathExplicitPolicyRequired | no | true or false.default is false | If this flag is true, an acceptable policy needs to be explicitly identified in every certificate |
| certPathPolicyMappingInhibited | no | true or false.default is false | If this flag is true, policy mapping is inhibited |
| certPathPolicyQualifiersRejected | no | true or false. default is true | If this flag is true, certificates that include policy qualifiers in a certificate policies extension that is marked critical are rejected. If the flag is false, certificates are not rejected on this basis.Applications that want to use a more sophisticated policy must set this flag to false.Note that the PKIX certification path validation algorithm specifies that any policy qualifier in a certificate policies extension that is marked critical must be processed and validated. Otherwise the certification path must be rejected. If the policyQualifiersRejected flag is set to false, it is up to the application to validate all policy qualifiers in this manner in order to be PKIX compliant. |
| certPathRevocationEnabled | no | true or false. default is true | If this flag is true, the default revocation checking mechanism of the underlying PKIX service provider will be used. If this flag is false, the default revocation checking mechanism will be disabled (not used).When a PKIXParameters object is created, this flag is set to true. This setting reflects the most common strategy for checking revocation, since each service provider must support revocation checking to be PKIX compliant. Sophisticated applications should set this flag to false when it is not practical to use a PKIX service provider's default revocation checking mechanism or when an alternative revocation checking mechanism is to be substituted |
| certPathSigProvider | no | Sets the signature provider's name. The specified provider will be preferred when creating Signature objects. If null or not set, the first provider found supporting the algorithm will be used. | |
| certPathCrlPath | no | a system-dependent fileName | if this value is defined, it grabs the CRL from a file and add it to the CRLs collection |
| certPathUrlCrlPath | no | an HTTP-based URL | if this value is defined, it grabs the CRL from an HTTP URL and add it to the CRLs collection |
| trustedCaCertsDirPath | no | a directory pathName | this directory path must contain Trusted certificates to build Trust Anchors |
| securityProvider | no | default value is * org.bouncycastle. jce.provider. BouncyCastleProvider | a security provider class name to use. |
| certPathCertStoreType | no | LDAP or Collection | define from which source the certstore will retrieve certificates and CRLs |
| certPathLdapServerName | no | default value is localhost | server name used to grab certificates and CRLS for the certstore |
| certPathLdapServerPort | no | default value is 389* | server port used to grab certificates and CRLS for the certstore |
| javax.net.ssl.trustStore | no | file path of the trustStore | |
| javax.net.ssl.trustStorePassword | no | password protecting access to TrustStore data present in the file | |
| keyStorePath | no | file path of the keyStore | |
| keyStorePassword | no | password protecting access to keyStore data present in the file | |
| keyStoreType | no | Valid types can be those returned by the java.security.Security.getAlgorithms("KeyStore") attribute(JKS,JCEKS,PKCS12,PKCS11 (Java crypto device),CMSKS,JCERACFKS ...) |
Version 1.21 last modified by Charles Gay on 14/01/2007 at 22:16
Document data
Attachments:
No attachments for this document
Comments: 0