public class ClientCertAuthRule extends BaseTrustEngineRule<X509Credential>
This rule is only evaluated if the message context contains a peer X509Credential
as returned from the
inbound message context's inbound message transport Transport.getPeerCredential()
.
The entity ID used to perform trust evaluation of the X509 credential is first retrieved via
getCertificatePresenterEntityID(MessageContext)
. If this value is non-null, trust evaluation proceeds on
that basis. If trust evaluation using this entity ID is successful, the message context's inbound transport
authentication state will be set to true
and processing is terminated. If unsuccessful, a
SecurityPolicyException
is thrown.
If a non-null value was available from getCertificatePresenterEntityID(MessageContext)
, then rule evaluation
will be attempted as described in evaluateCertificateNameDerivedPresenters(X509Credential, MessageContext)
,
based on the currently configured certificate name evaluation options. If this method returns a non-null certificate
presenter entity ID, it will be set on the message context by calling
setAuthenticatedCertificatePresenterEntityID(MessageContext, String)
The message context's inbound transport
authentication state will be set to true
via
Transport.setAuthenticated(boolean)
. Rule processing is then terminated. If the
method returns null, the client certificate presenter entity ID and inbound transport authentication state will
remain unmodified and rule processing continues.
Finally rule evaluation will proceed as described in
evaluateDerivedPresenters(X509Credential, MessageContext)
. This is primarily an extension point by which
subclasses may implement specific custom logic. If this method returns a non-null client certificate presenter entity
ID, it will be set via setAuthenticatedCertificatePresenterEntityID(MessageContext, String)
, the message
context's inbound transport authentication state will be set to true
and rule processing is terminated.
If the method returns null, the client certificate presenter entity ID and transport authentication state will remain
unmodified.
Constructor and Description |
---|
ClientCertAuthRule(TrustEngine<X509Credential> engine,
CertificateNameOptions nameOptions)
Constructor.
|
Modifier and Type | Method and Description |
---|---|
protected CriteriaSet |
buildCriteriaSet(String entityID,
MessageContext messageContext)
Subclasses are required to implement this method to build a criteria set for the trust engine
according to trust engine and application-specific needs.
|
protected void |
doEvaluate(X509Credential requestCredential,
MessageContext messageContext)
Evaluate the request credential.
|
void |
evaluate(MessageContext messageContext)
Evaluates the message context against the rule.
|
protected String |
evaluateCertificateNameDerivedIssuers(X509Credential requestCredential,
MessageContext messageContext)
Deprecated.
|
protected String |
evaluateCertificateNameDerivedPresenters(X509Credential requestCredential,
MessageContext messageContext)
Evaluate candidate presenter entity ID's which may be derived from the request credential's entity certificate
according to the options supplied via
CertificateNameOptions . |
protected String |
evaluateDerivedIssuers(X509Credential requestCredential,
MessageContext messageContext)
Deprecated.
|
protected String |
evaluateDerivedPresenters(X509Credential requestCredential,
MessageContext messageContext)
Evaluate any candidate presenter entity ID's which may be derived from the credential or other message context
information.
|
protected String |
evaluateSubjectAltNames(X509Credential requestCredential,
MessageContext messageContext)
Evaluate the presenter entity ID as derived from the cert subject alternative names specified by types enumerated
in
CertificateNameOptions.getSubjectAltNames() . |
protected String |
evaluateSubjectCommonName(X509Credential requestCredential,
MessageContext messageContext)
Evaluate the presenter entity ID as derived from the cert subject common name (CN).
|
protected String |
evaluateSubjectDN(X509Credential requestCredential,
MessageContext messageContext)
Evaluate the presenter entity ID as derived from the cert subject DN.
|
protected List<String> |
getAltNames(X509Certificate cert,
Integer altNameType)
Get the list of subject alt name values from the certificate which are of the specified alt name type.
|
protected CertificateNameOptions |
getCertificateNameOptions()
Get the currently configured certificate name options.
|
protected String |
getCertificatePresenterEntityID(MessageContext messageContext)
Get the entity ID of the presenter of the client TLS certificate, as will be used for trust evaluation purposes.
|
protected String |
getCommonName(X509Certificate cert)
Get the first common name (CN) value from the subject DN of the specified certificate.
|
protected String |
getSubjectName(X509Certificate cert)
Get subject name from a certificate, using the currently configured X500DNHandler and subject DN output format.
|
protected void |
setAuthenticatedCertificatePresenterEntityID(MessageContext messageContext,
String entityID)
Store the sucessfully authenticated derived entity ID of the certificate presenter in the message context.
|
evaluate, evaluate, getTrustEngine
public ClientCertAuthRule(TrustEngine<X509Credential> engine, CertificateNameOptions nameOptions)
engine
- Trust engine used to verify the request X509CredentialnameOptions
- options for deriving certificate presenter entity ID's from an X.509 certificatepublic void evaluate(MessageContext messageContext) throws SecurityPolicyException
messageContext
- the message context being evaluatedSecurityPolicyException
- thrown if the message context does not meet the requirements of the rule,
or if there is a non-recoverable error during evaluationprotected CertificateNameOptions getCertificateNameOptions()
protected void doEvaluate(X509Credential requestCredential, MessageContext messageContext) throws SecurityPolicyException
requestCredential
- the X509Credential derived from the requestmessageContext
- the message context being evaluatedSecurityPolicyException
- thrown if a certificate presenter entity ID available from the message context
and the client certificate token can not be establishd as trusted on that basis, or if there is error
during evaluation processingprotected String getCertificatePresenterEntityID(MessageContext messageContext)
The default behavior is to return the value of MessageContext.getInboundMessageIssuer()
. Subclasses may
override to implement different logic.
messageContext
- the current message contextprotected void setAuthenticatedCertificatePresenterEntityID(MessageContext messageContext, String entityID)
The default behavior is to set the value by calling MessageContext.setInboundMessageIssuer(String)
.
Subclasses may override to implement different logic.
messageContext
- the current message contextentityID
- the successfully authenticated derived entity ID of the client TLS certificate presenterprotected CriteriaSet buildCriteriaSet(String entityID, MessageContext messageContext) throws SecurityPolicyException
buildCriteriaSet
in class BaseTrustEngineRule<X509Credential>
entityID
- the candidate issuer entity ID which is being evaluatedmessageContext
- the message context which is being evaluatedSecurityPolicyException
- thrown if criteria set can not be constructedprotected String evaluateDerivedIssuers(X509Credential requestCredential, MessageContext messageContext) throws SecurityPolicyException
evaluateDerivedPresenters(X509Credential,MessageContext)
insteadThis serves primarily as an extension point for subclasses to implement application-specific logic.
If multiple derived candidate entity ID's would satisfy the trust engine criteria, the choice of which one to return as the canonical presenter entity ID value is implementation-specific.
requestCredential
- the X509Credential derived from the requestmessageContext
- the message context being evaluatedSecurityPolicyException
- thrown if there is error during processingprotected String evaluateDerivedPresenters(X509Credential requestCredential, MessageContext messageContext) throws SecurityPolicyException
This serves primarily as an extension point for subclasses to implement application-specific logic.
If multiple derived candidate entity ID's would satisfy the trust engine criteria, the choice of which one to return as the canonical presenter entity ID value is implementation-specific.
requestCredential
- the X509Credential derived from the requestmessageContext
- the message context being evaluatedSecurityPolicyException
- thrown if there is error during processingprotected String evaluateCertificateNameDerivedIssuers(X509Credential requestCredential, MessageContext messageContext) throws SecurityPolicyException
evaluateCertificateNameDerivedPresenters(X509Credential,MessageContext)
insteadCertificateNameOptions
.
Configured certificate name types are derived as candidate presenter entity ID's and processed in the following order:
CertificateNameOptions.getX500DNHandler()
and using the output format indicated by
CertificateNameOptions.getX500SubjectDNFormat()
.CertificateNameOptions.getSubjectAltNames()
.
Note that this is a LinkedHashSet, so the order of evaluation is the order of insertion.
The first one of the above which is successfully evaluated by the trust engine using criteria built from
BaseTrustEngineRule.buildCriteriaSet(String, MessageContext)
will be returned.
requestCredential
- the X509Credential derived from the requestmessageContext
- the message context being evaluatedSecurityPolicyException
- thrown if there is error during processingprotected String evaluateCertificateNameDerivedPresenters(X509Credential requestCredential, MessageContext messageContext) throws SecurityPolicyException
CertificateNameOptions
.
Configured certificate name types are derived as candidate presenter entity ID's and processed in the following order:
CertificateNameOptions.getX500DNHandler()
and using the output format indicated by
CertificateNameOptions.getX500SubjectDNFormat()
.CertificateNameOptions.getSubjectAltNames()
.
Note that this is a LinkedHashSet, so the order of evaluation is the order of insertion.
The first one of the above which is successfully evaluated by the trust engine using criteria built from
BaseTrustEngineRule.buildCriteriaSet(String, MessageContext)
will be returned.
requestCredential
- the X509Credential derived from the requestmessageContext
- the message context being evaluatedSecurityPolicyException
- thrown if there is error during processingprotected String evaluateSubjectCommonName(X509Credential requestCredential, MessageContext messageContext) throws SecurityPolicyException
requestCredential
- the X509Credential derived from the requestmessageContext
- the message context being evaluatedSecurityPolicyException
- thrown if there is error during processingprotected String evaluateSubjectDN(X509Credential requestCredential, MessageContext messageContext) throws SecurityPolicyException
requestCredential
- the X509Credential derived from the requestmessageContext
- the message context being evaluatedSecurityPolicyException
- thrown if there is error during processingprotected String evaluateSubjectAltNames(X509Credential requestCredential, MessageContext messageContext) throws SecurityPolicyException
CertificateNameOptions.getSubjectAltNames()
.requestCredential
- the X509Credential derived from the requestmessageContext
- the message context being evaluatedSecurityPolicyException
- thrown if there is error during processingprotected String getCommonName(X509Certificate cert)
cert
- the certificate being processedprotected String getSubjectName(X509Certificate cert)
cert
- the certificate being processedprotected List<String> getAltNames(X509Certificate cert, Integer altNameType)
cert
- the certificate from which to extract alt namesaltNameType
- the type of alt name to extractCopyright © 2018 JBoss by Red Hat. All rights reserved.