Custom Login Class Sample Code
This sample code illustrates the implementation of the default com.hyperion.css.sso.agent.X509CertificateSecurityAgentImpl
. Generally, you should customize the parseCertificate(String sCertificate)
method of this implementation to derive the user name from a certificate attribute other than DN:
package com.hyperion.css.sso.agent;
import java.io.ByteArrayInputStream;
import java.io.UnsupportedEncodingException;
import java.security.Principal;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import com.hyperion.css.CSSSecurityAgentIF;
import com.hyperion.css.common.configuration.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* X509CertificateAuthImpl implements the CSSSecurityAgentIF interface It accepts
* the X509 certificate of the authenticated user from the Web Server via a
* header, parses the certificate, extracts the DN of the User and
* authenticates the user.
*/
public class X509CertificateSecurityAgentImpl implements CSSSecurityAgentIF
{
static final String IDENTITY_ATTR = "CN";
String g_userDN = null;
String g_userName = null;
String hostAdrress= null;
/**
* Returns the User name (login name) of the authenticated user,
* for example demouser. See CSS API documentation for more information
*/
public String getUserName(HttpServletRequest req, HttpServletResponse res)
throws Exception
{
hostAdrress = req.getServerName();
String certStr = getCertificate(req);
String sCert = prepareCertificate(certStr);
/* Authenticate with a CN */
parseCertificate(sCert);
/* Authenticate if the Login Attribute is a DN */
if (g_userName == null)
{
throw new Exception("User name not found");
}
return g_userName;
}
/**
* Passing null since this is a trusted Security agent authentication
* See Security API documentation for more information on CSSSecurityAgentIF
*/
public String getPassword(HttpServletRequest req, HttpServletResponse res)
throws Exception
{
return null;
}
/**
* Get the Certificate sent by the Web Server in the HYPLOGIN header.
* If you pass a different header nane from the Web server, change the
* name in the method.
*/
private String getCertificate(HttpServletRequest request)
{
String cStr = (String)request
.getHeader(CSSConfigurationDefaults.HTTP_HEADER_HYPLOGIN);
return cStr;
}
/**
* The certificate sent by the Web server is a String.
* Put a "\n" in place of whitespace so that the X509Certificate
* java API can parse the certificate.
*/
private String prepareCertificate(String gString)
{
String str1 = null;
String str2 = null;
str1 = gString.replace("-----BEGIN CERTIFICATE-----", "");
str2 = str1.replace("-----END CERTIFICATE-----", "");
String certStrWithNL = "-----BEGIN CERTIFICATE-----"
+ str2.replace(" ", "\n") + "-----END CERTIFICATE-----";
return certStrWithNL;
}
/**
* Parse the certificate
* 1. Create X509Certificate using the certificateFactory
* 2. Get the Principal object from the certificate
* 3. Set the g_userDN to a certificate attribute value (DN in this sample)
* 4. Parse the attribute (DN in this sample) to get a unique username
*/
private void parseCertificate(String sCertificate) throws Exception
{
X509Certificate cert = null;
String userID = null;
try
{
X509Certificate clientCert = (X509Certificate)CertificateFactory
.getInstance("X.509")
.generateCertificate(
new ByteArrayInputStream(sCertificate
.getBytes("UTF-8")));
if (clientCert != null)
{
Principal princDN = clientCert.getSubjectDN();
String dnStr = princDN.getName();
g_userDN = dnStr;
int idx = dnStr.indexOf(",");
userID = dnStr.substring(3, idx);
g_userName = userID;
}
}
catch (CertificateException ce)
{
throw ce;
}
catch (UnsupportedEncodingException uee)
{
throw uee;
}
} //end of getUserNameFromCert
}// end of class