You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We can configure Helidon 4 to require client certificate authentication with the following
server:
port: 8443host: 0.0.0.0tls:
client-auth: REQUIREDendpoint-identification-algorithm: NONE # This is a bit counter-intuitiveprivate-key:
keystore:
...trust:
keystore:
...trust-store: true
Ignoring the need to set endpoint-identification-algorithm: NONE which is not very intuitive, this works well.
However, coming from a Servlet background I would then expect to be able to do the following
This would seem to be a core feature missing from io.helidon.webserver.security.SecurityContextFilter
Implement an io.helidon.security.spi.AuthenticationProvider
This takes the code from io.helidon.security.providers.httpauth.HttpBasicAuthProvider to configure SecureUserStore instances but then looks up the user by the certificate DN
Hello
the endpoint-identification-algorithm: NONE should not be required at all if you have correctly defined certificates. It is what is called "endpoint verification" in other places, and it is related to the common name of the server certificate - if that is set correctly to the host name used, you do not need to specify this option.
Regarding the feature request, we will investigate it. Right now you can only use the common name from certificate to assert user identity through our header based security provider (we use X_HELIDON_CN as the generated header for common name from client certificate)
@tomas-langer I understand that - but what endpoint-identification-algorithm does when enabled for client certificate authentication on the server side is that it tries to identify the client by its SAN. As a client certificate will identify a user and not a machine, and moreover the user's machine could have any IP address and likely not a domain name, this verification will always fail.
As an example, my WAN ip address might now be 1.2.3.4 - I have no reverse DNS for that IP as it's given to me by my ISP by DHCP. I make a request with my certificate for DN=CN=boris.morris provided for me by some public CA which issues client certificates. The server, if endpoint verification is enabled, will try and verify that there is an IP SAN for 1.2.3.4 in my certificate - which there obviously can never be.
Endpoint identification is used when the client talks to a server - which will have some fixed address(es) that can be named in a SAN.
For the server side of a mutual TLS connection, endpoint verification is normally disabled for this reason.
We can configure Helidon 4 to require client certificate authentication with the following
Ignoring the need to set
endpoint-identification-algorithm: NONE
which is not very intuitive, this works well.However, coming from a Servlet background I would then expect to be able to do the following
There is no way to achieve this with Helidon.
Environment Details
Problem Description
I would like to be able to implement security authorisations using ABAC against clients authenticated using client certificate authentication.
Given Helidon has ABAC the Certificate properties could be exposed to ABDC for dynamic checking against attributes of the Certificate.
In order to get this working in my test lab I have had to do the following
io.helidon.webserver.http.Filter
to add the certificate to the requestThis would seem to be a core feature missing from
io.helidon.webserver.security.SecurityContextFilter
io.helidon.security.spi.AuthenticationProvider
This takes the code from
io.helidon.security.providers.httpauth.HttpBasicAuthProvider
to configureSecureUserStore
instances but then looks up the user by the certificate DNThe text was updated successfully, but these errors were encountered: