Package weblogic.security.providers.authentication

Interface X509SubjectComponentMapper

All Superinterfaces:

UserNameMapper

public interface X509SubjectComponentMapper
extends UserNameMapper

The X509SubjectComponentMapper derives subject components from a given X.509 certificate chain, extending the UserNameMapper by supporting additional principals and credentials.

Certificate-based authentication may be performed when a remote client makes a two-way-authenticated SSL connection to the server, in which case the client's certificate chain can be used to authenticate the remote user. This removes the need for the client to explicitly provide a username and password.

To specify an instance of this interface to be used by the default identity asserter, set the UserNameMapperClassName field on the Default Identity Asserter tab in the Administration Console to the name of a class that implements this interface.

Classes implementing this interface must have a public no-arg constructor.

Method Summary

Modifier and Type	Method	Description
SubjectComponentData	getSubjectComponentData(java.security.cert.X509Certificate[] certs)	Derives a username, principals, and credentials, from the given certificate chain.
boolean	isVirtualUserAllowed(java.security.cert.X509Certificate[] certs)	Determines whether virtual users are allowed, from the given certificate chain.

Methods inherited from interface weblogic.security.providers.authentication.UserNameMapper

mapCertificateToUserName, mapDistinguishedNameToUserName

Method Detail

getSubjectComponentData

SubjectComponentData getSubjectComponentData(java.security.cert.X509Certificate[] certs)

Derives a username, principals, and credentials, from the given certificate chain. The exact algorithm for the derivation is implementation specific, and may be configurable. If the subject components could not be determined for the given certificate chain, null is returned.

Parameters:

certs - Certificate chain presented by the client. An array of length at least 1. The first certificate is the leaf (i.e. end user's) certificate. If the length is greater than 1, the array is a certificate chain, with the last element being the root CA.

Returns:

The subject components derived from the certificate chain, null if a derivation could not be determined.

isVirtualUserAllowed

boolean isVirtualUserAllowed(java.security.cert.X509Certificate[] certs)

Determines whether virtual users are allowed, from the given certificate chain. The exact algorithm for the derivation is implementation specific, and may be configurable. For example, virtual users may only be allowed from specific Subject DN organizations.

A virtual user is one which is authenticated only by the identity assertion token (e.g., X.509 certificate). A virtual user would not be authenticated against any known user store, such as an LDAP store.

Note that even though this X509SubjectComponentMapper instance may allow virtual users, the identity assertion provider must also allow virtual users in order to authenticate.

Parameters:

certs - Certificate chain presented by the client. An array of length at least 1. The first certificate is the leaf (i.e. end user's) certificate. If the length is greater than 1, the array is a certificate chain, with the last element being the root CA.

Returns:

true if virtual users derived from the certificate chain are allowed, false if not.