1 Reply Latest reply on Aug 2, 2010 7:25 AM by SteveStephens1

    X.509 Client Authentication, BlazeDS, Tomcat.


      Requirement:  Perform x.509 single sign-on for a Flex UI hosted with Tomcat 6.0.x server.  The authentication and authorization will be provided by 3rd party web services for the application.  These web services need to have the CN from the certificate passed.


      So, I'd like to perform client authentication using a X.509 certificate with a Flex UI, BlazeDS, Java 1.6, Tomcat stack.  I setup the Tomcat server to demand a client cert.  This is working fine.  What I can't figure out is how do I gain access to the cert in Flex (or Java) to then setup permissions for the logged in user.


      I did read a blog posting about how to do this using the GraniteDS service.  I'm not in a position to be able to convert to using this.  Supposedly GraniteDS grants access to the Spring 2.0 security features.  I'm not sure but it reads like BlazeDS does not grant access to these features.


      Is there a best practice or design pattern available to accomplish this task?




      - Steve

        • 1. Re: X.509 Client Authentication, BlazeDS, Tomcat.
          SteveStephens1 Level 1

          I found a solution.  It seems like a hack but wanted to note if incase someone searches for this thread.


          What I did was the following.


          I wrote a .jsp that'd get the certificate from the browser and:

               String cn = "";

               java.security.cert.X509Certificate[] obj = (...casting...) reqyest,getAttribute("javax.servlet.request.X509Certificate");


               if (null != obj){

                    cn = obj[0].getSubjectX500Principal().getName();



               <% =cn%>


          I modified the .HTML that'd launch the .SWF movie file to basically do the following:


               Added all of the launching Javascript code into a function.

               Added a function to create an XMLHttp object.

               Made a request to the .jsp I made above:

                    xmlhttp.open("GET", "CheckFile.jsp", true);

                    xmlhttp.onreadystatechange = launchSWF;

                    xmlhttp.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');


                    This will call the CheckFile.jsp page and call the launchSWF function when a response is sent back from the call.

               In launchSWF method I did the following:

                    var subjectCN = xmlhttp.responseText;


                    flashvars.subjectCN = subjectCN  //flashvars.<varname> can be any name, preferebly some name that makes sense.


               Finally, inside of the SWF you can access the variable(s) using this.parameters.<varname> where <varname> is the name of the variable created in the Javascript.


          Anyway, these are the basics.