本程式碼範例說明預設 com.hyperion.css.sso.agent.X509CertificateSecurityAgentImpl
的實作。一般來說,您必須自訂這個實作的 parseCertificate(String sCertificate)
方法,才能從非 DN 的憑證屬性取得使用者名稱。
package com.hyperion.css.sso.agent; import java.io.ByteArrayInputStream; import java.io.UnsupportedEncodingException; import java.security.Principal; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import com.hyperion.css.CSSSecurityAgentIF; import com.hyperion.css.common.configuration.*; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** * X509CertificateAuthImpl implements the CSSSecurityAgentIF interface It accepts * the X509 certificate of the authenticated user from the Web Server via a * header, parses the certificate, extracts the DN of the User and * authenticates the user. */ public class X509CertificateSecurityAgentImpl implements CSSSecurityAgentIF { static final String IDENTITY_ATTR = "CN"; String g_userDN = null; String g_userName = null; String hostAdrress= null; /** * Returns the User name (login name) of the authenticated user, * for example demouser. See CSS API documentation for more information */ public String getUserName(HttpServletRequest req, HttpServletResponse res) throws Exception { hostAdrress = req.getServerName(); String certStr = getCertificate(req); String sCert = prepareCertificate(certStr); /* Authenticate with a CN */ parseCertificate(sCert); /* Authenticate if the Login Attribute is a DN */ if (g_userName == null) { throw new Exception("User name not found"); } return g_userName; } /** * Passing null since this is a trusted Security agent authentication * See Security API documentation for more information on CSSSecurityAgentIF */ public String getPassword(HttpServletRequest req, HttpServletResponse res) throws Exception { return null; } /** * Get the Certificate sent by the Web Server in the HYPLOGIN header. * If you pass a different header nane from the Web server, change the * name in the method. */ private String getCertificate(HttpServletRequest request) { String cStr = (String)request .getHeader(CSSConfigurationDefaults.HTTP_HEADER_HYPLOGIN); return cStr; } /** * The certificate sent by the Web server is a String. * Put a "\n" in place of whitespace so that the X509Certificate * java API can parse the certificate. */ private String prepareCertificate(String gString) { String str1 = null; String str2 = null; str1 = gString.replace("-----BEGIN CERTIFICATE-----", ""); str2 = str1.replace("-----END CERTIFICATE-----", ""); String certStrWithNL = "-----BEGIN CERTIFICATE-----" + str2.replace(" ", "\n") + "-----END CERTIFICATE-----"; return certStrWithNL; } /** * Parse the certificate * 1. Create X509Certificate using the certificateFactory * 2. Get the Principal object from the certificate * 3. Set the g_userDN to a certificate attribute value (DN in this sample) * 4. Parse the attribute (DN in this sample) to get a unique username */ private void parseCertificate(String sCertificate) throws Exception { X509Certificate cert = null; String userID = null; try { X509Certificate clientCert = (X509Certificate)CertificateFactory .getInstance("X.509") .generateCertificate( new ByteArrayInputStream(sCertificate .getBytes("UTF-8"))); if (clientCert != null) { Principal princDN = clientCert.getSubjectDN(); String dnStr = princDN.getName(); g_userDN = dnStr; int idx = dnStr.indexOf(","); userID = dnStr.substring(3, idx); g_userName = userID; } } catch (CertificateException ce) { throw ce; } catch (UnsupportedEncodingException uee) { throw uee; } } //end of getUserNameFromCert }// end of class