CRLLoginModule

Last modified by RaffaelloPelagalli on 2007/01/14 22:16

CRLLoginModule

description

This loginModule permits an authentication for your web application based on X509 certificates: it validates their certPath, and checks if some of them are revoked against a CRL (Certificate Revocation List) which lists certificates that has been revoked by the Certificate Authority(CA) before their scheduled expiration date. Note this certificate validation mechanism is not based on real-time mechanism:

the accuracy of this mechanism is based on the CRL generation frequency of the Certificate Authority.

General parameters

parameters comes from the PKIXParameters java class: parameters description comes from the JDK's javadoc.

namemandatoryvaluesdescription
debugno  
certPathAnyPolicyInhibitednotrue or false.default is falseSets state to determine if the any policy OID should be processed if it is included in a certificate
certPathExplicitPolicyRequirednotrue or false.default is falseIf this flag is true, an acceptable policy needs to be explicitly identified in every certificate
certPathPolicyMappingInhibitednotrue or false.default is falseIf this flag is true, policy mapping is inhibited
certPathPolicyQualifiersRejectednotrue or false. default is trueIf this flag is true, certificates that include policy qualifiers in a certificate policies extension that is marked critical are rejected. If the flag is false, certificates are not rejected on this basis.Applications that want to use a more sophisticated policy must set this flag to false.Note that the PKIX certification path validation algorithm specifies that any policy qualifier in a certificate policies extension that is marked critical must be processed and validated. Otherwise the certification path must be rejected. If the policyQualifiersRejected flag is set to false, it is up to the application to validate all policy qualifiers in this manner in order to be PKIX compliant.
certPathRevocationEnablednotrue or false. default is trueIf this flag is true, the default revocation checking mechanism of the underlying PKIX service provider will be used. If this flag is false, the default revocation checking mechanism will be disabled (not used).When a PKIXParameters object is created, this flag is set to true. This setting reflects the most common strategy for checking revocation, since each service provider must support revocation checking to be PKIX compliant. Sophisticated applications should set this flag to false when it is not practical to use a PKIX service provider's default revocation checking mechanism or when an alternative revocation checking mechanism is to be substituted
certPathSigProviderno Sets the signature provider's name. The specified provider will be preferred when creating Signature objects. If null or not set, the first provider found supporting the algorithm will be used.
certPathCrlPathnoa system-dependent fileNameif this value is defined, it grabs the CRL from a file and add it to the CRLs collection
certPathUrlCrlPathnoan HTTP-based URLif this value is defined, it grabs the CRL from an HTTP URL and add it to the CRLs collection
trustedCaCertsDirPathnoa directory pathNamethis directory path must contain Trusted certificates to build Trust Anchors
securityProvidernodefault value is
* org.bouncycastle.
jce.provider.
BouncyCastleProvider
a security provider class name to use.
certPathCertStoreTypenoLDAP or Collectiondefine from which source the certstore will retrieve certificates and CRLs
certPathLdapServerNamenodefault value is localhostserver name used to grab certificates and CRLS for the certstore
certPathLdapServerPortnodefault value is 389*server port used to grab certificates and CRLS for the certstore
javax.net.ssl.trustStoreno file path of the trustStore
javax.net.ssl.trustStorePasswordno password protecting access to TrustStore data present in the file
keyStorePathno file path of the keyStore
keyStorePasswordno password protecting access to keyStore data present in the file
keyStoreTypeno Valid types can be those returned by the java.security.Security.getAlgorithms("KeyStore") attribute(JKS,JCEKS,PKCS12,PKCS11 (Java crypto device),CMSKS,JCERACFKS ...)
Tags:
Created by diabolo512 on 2006/02/09 14:40

jGuard team copyright 2004-2009
3.1.1