Welcome to the jGuard's wiki » jGuard Documentation » X509 certificate and the populated subject

X509 certificate and the populated subject

Last modified by XWikiGuest on 2010/10/28 20:17

X509 certificate and the populated subject

here are details on how jGuard grab informations in X509 certificate, and use them to populate the resulting javax.security.auth.Subject.

note that jGuard only handle the first certificate provided by the user (theorically, a user can provide multiple certificates at the same time).

unique ID

if the certificate field 'subjectUniqueID' is present in the certificate,jGuard create a credential called uniqueID in the java Subject. ~~ this field is OPTIONAL in the certificate.~~

jguard use the method java.security.cert.X509Certificate 'getSubjectUniqueID' to grab this information.

alternative names

if a 'SubjectAltName' extension is present in the certificate, jGuard grab the subject alternatives names with the method getSubjectAlternativeNames, and create for each alternative name a credential with the name alternativeName#aSequenceNumber .

'SubjectAltName' extension in certificate is OPTIONAL.

X500 principal

jguard grab a principal object from the field 'subject' in the certificate, with the method getSubjectX500Principal method,and put it into the principals set of the Subject.

important.png this field in the certificate is REQUIRED .

when you use the JdbcLoginmodule (or XmlLoginModule) in conjunction with a certificate-related loginModule, jguard will check this value against the value of the credential called 'login'.

what about certificate informations and other LoginModules?

you can use other loginModules like XMLLoginModule and JdbcLoginmodule in collaboration with CRLLoginModule or OCSPLoginModule.

in others authentication schemes, i.e FORM , BASIC , or DIGEST , the user actively send its login and password informations.these informations are used by XMLLoginModule or JdbcLoginmodule to check if the user eixsts and if its password is valid.

after this step, it populates the Subject with some informations from the Datasource (XML or Database). with CLIENT-CERT authentication, the mechanism is in the same way.

the only difference is that the user automatically send its login and other information with its certificate. no password are required, because some powerful cryptographic mechanisms check the validity of the certificate.

so, when the user transmit its certificate, jGuard populate the Subject with a X500Principal object.

jGuard use the String returned by the getName method of the X500Principalstored in the Subject as the login information.

what precise informations are required in the X509 certificate?

to summarize, the only information required in the certificate is the 'subject' field.

the value of 'subject' field should be a 'distinguished name' (DN), compliant with the RFC 2253. to have more informations on certificate structure(which fields can be inserted), you can look towards the RFC 2459.

Created by diabolo512 on 2006/09/25 22:51

jGuard team copyright 2004-2009