Package org.dspace.authenticate

Class X509Authentication

java.lang.Object
org.dspace.authenticate.X509Authentication
All Implemented Interfaces:
AuthenticationMethod
public class X509Authentication extends Object implements AuthenticationMethod
Implicit authentication method that gets credentials from the X.509 client certificate supplied by the HTTPS client when connecting to this server. The email address in that certificate is taken as the authenticated user name with no further checking, so be sure your HTTP server (e.g. Tomcat) is configured correctly to accept only client certificates it can validate.

See the AuthenticationMethod interface for more details.

Configuration: 

   x509.keystore.path =
 
 path to Java keystore file
 
   keystore.password =
 
 password to access the keystore
 
   ca.cert =
 
 path to certificate file for CA whose client certs to accept.
 
   autoregister =
 
 "true" if E-Person is created automatically for unknown new users.
 
   groups =
 
 comma-delimited list of special groups to add user to if authenticated.
 
   emaildomain =
 
 email address domain (after the 'at' symbol) to match before allowing
 membership in special groups.
Only one of the "keystore.path" or "ca.cert" options is required. If you supply a keystore, then all of the "trusted" certificates in the keystore represent CAs whose client certificates will be accepted. The ca.cert option only allows a single CA to be named.

You can configure both a keystore and a CA cert, and both will be used.

The autoregister configuration parameter determines what the canSelfRegister() method returns. It also allows an EPerson record to be created automatically when the presented certificate is acceptable but there is no corresponding EPerson.

Version:
$Revision$
Author:
Larry Stone

  • Field Details

  • Constructor Details

    • X509Authentication

      public X509Authentication()

  • Method Details

    • canSelfRegister

      public boolean canSelfRegister(Context context, jakarta.servlet.http.HttpServletRequest request, String username) throws SQLException
      Predicate, can new user automatically create EPerson. Checks configuration value. You'll probably want this to be true to take advantage of a Web certificate infrastructure with many more users than are already known by DSpace.
      Specified by:
      canSelfRegister in interface AuthenticationMethod
      Parameters:
      context - DSpace context
      request - HTTP request, in case it's needed. May be null.
      username - Username, if available. May be null.
      Returns:
      true if new ePerson should be created.
      Throws:
      SQLException - if database error

    • initEPerson

      public void initEPerson(Context context, jakarta.servlet.http.HttpServletRequest request, EPerson eperson) throws SQLException
      Nothing extra to initialize.
      Specified by:
      initEPerson in interface AuthenticationMethod
      Parameters:
      context - DSpace context
      request - HTTP request, in case it's needed. May be null.
      eperson - newly created EPerson record - email + information from the registration form will have been filled out.
      Throws:
      SQLException - if database error

    • allowSetPassword

      public boolean allowSetPassword(Context context, jakarta.servlet.http.HttpServletRequest request, String username) throws SQLException
      We don't use EPerson password so there is no reason to change it.
      Specified by:
      allowSetPassword in interface AuthenticationMethod
      Parameters:
      context - DSpace context
      request - HTTP request, in case it's needed. May be null.
      username - Username, if available. May be null.
      Returns:
      true if this method allows user to change ePerson password.
      Throws:
      SQLException - if database error

    • isImplicit

      public boolean isImplicit()
      Returns true, this is an implicit method.
      Specified by:
      isImplicit in interface AuthenticationMethod
      Returns:
      true if this method uses implicit authentication.

    • getSpecialGroups

      public List<Group> getSpecialGroups(Context context, jakarta.servlet.http.HttpServletRequest request) throws SQLException
      Return special groups configured in dspace.cfg for X509 certificate authentication.
      Specified by:
      getSpecialGroups in interface AuthenticationMethod
      Parameters:
      context - context
      request - object potentially containing the cert
      Returns:
      An int array of group IDs
      Throws:
      SQLException - if database error

    • authenticate

      public int authenticate(Context context, String username, String password, String realm, jakarta.servlet.http.HttpServletRequest request) throws SQLException
      X509 certificate authentication. The client certificate is obtained from the ServletRequest object.
      • If the certificate is valid, and corresponds to an existing EPerson, and the user is allowed to login, return success.
      • If the user is matched but is not allowed to login, it fails.
      • If the certificate is valid, but there is no corresponding EPerson, the "authentication.x509.autoregister" configuration parameter is checked (via canSelfRegister())
        • If it's true, a new EPerson record is created for the certificate, and the result is success.
        • If it's false, return that the user was unknown.
      Specified by:
      authenticate in interface AuthenticationMethod
      Parameters:
      context - DSpace context, will be modified (ePerson set) upon success.
      username - Username (or email address) when method is explicit. Use null for implicit method.
      password - Password for explicit auth, or null for implicit method.
      realm - Realm is an extra parameter used by some authentication methods, leave null if not applicable.
      request - The HTTP request that started this operation, or null if not applicable.
      Returns:
      One of: SUCCESS, BAD_CREDENTIALS, NO_SUCH_USER, BAD_ARGS
      Throws:
      SQLException - if database error

    • loginPageURL

      public String loginPageURL(Context context, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
      Returns URL of password-login servlet.
      Specified by:
      loginPageURL in interface AuthenticationMethod
      Parameters:
      context - DSpace context, will be modified (EPerson set) upon success.
      request - The HTTP request that started this operation, or null if not applicable.
      response - The HTTP response from the servlet method.
      Returns:
      fully-qualified URL

    • getName

      public String getName()
      Description copied from interface: AuthenticationMethod
      Returns a short name that uniquely identifies this authentication method
      Specified by:
      getName in interface AuthenticationMethod
      Returns:
      The authentication method name

    • isUsed

      public boolean isUsed(Context context, jakarta.servlet.http.HttpServletRequest request)
      Description copied from interface: AuthenticationMethod
      Get whether the authentication method is being used.
      Specified by:
      isUsed in interface AuthenticationMethod
      Parameters:
      context - The DSpace context
      request - The current request
      Returns:
      whether the authentication method is being used.

    • canChangePassword

      public boolean canChangePassword(Context context, EPerson ePerson, String currentPassword)
      Description copied from interface: AuthenticationMethod
      Check if the given current password is valid to change the password of the given ePerson
      Specified by:
      canChangePassword in interface AuthenticationMethod
      Parameters:
      context - The DSpace context
      ePerson - the ePerson related to the password change
      currentPassword - The current password to check
      Returns:
      true if the provided password matches with current password