Hopbot log for 2008-03-09 - Helma IRC channel: #helma on irc.freenode.net

2008-03-09:

[11:14] <decke> good morning...
[11:15] <decke> has anyone ever used helma to authenticate users thru ssl client certificates?
[11:25] <zumbrunn_> hi decke
[11:26] <decke> hi
[11:26] <zumbrunn_> hmm, didn't know that's possible for web apps
[11:26] <zumbrunn_> (assuming you mean what I think you mean)
[11:26] <decke> it's like ssh
[11:27] <decke> a bit more complex of course
[11:27] <decke> you generate your own CA
[11:27] <zumbrunn_> how would that work over the web?
[11:27] <decke> generate a few client certificates - sign them with your CA
[11:27] <zumbrunn_> can web browsers do this kind of authentication?
[11:27] <decke> and import it into your browser
[11:27] <decke> jep that works flawlessly..
[11:27] <zumbrunn_> ok, I wasn't aware that's possible
[11:27] <decke> and on the helma side behind apache mod_ssl i get the client certificate
[11:28] <decke> from the servlet request ... it carries the cert .. that works fine... but then..
[11:29] <decke> then there is the black hole where my knowledge ends and i don't know what to do...
[11:29] <decke> is the cert validatet? can i trust em? what do servlets do? oh they use CAS - a different beast
[11:30] <decke> everything i find is how you do it with tomcat and they configure everthing in their xml config files...
[11:30] <zumbrunn_> one problem might also be the version of jetty
[11:31] <decke> at least i get the client cert
[11:31] <decke> everything is there...
[11:31] <zumbrunn_> and the jetty configuration isn't exposed through config files in helma setups right now
[11:31] <decke> i only don't know how to validate it... or if it is already validatet thru mod_ssl
[11:32] <decke> who handles the servlet things in helma?
[11:32] <decke> is this a part of helma or jetty?
[11:32] <decke> because i get the client cert like this...
[11:33] <zumbrunn_> helma embeds jetty, so something between I guess
[11:33] <decke> req.getServletRequest().getAttribute("javax.servlet.request.X509Certificate");
[11:33] <decke> and that's a list of X509Certificate objects ... the client certs - or null
[11:33] <zumbrunn_> that would be hannes (you could aks on the helma-user mailing list)
[11:34] <decke> strange that nobody has used this already..
[11:34] <zumbrunn_> plus, maybe someone else has already done this and can provide more info
[11:35] <decke> but it is a cool and secure way of authenticating users...
[11:36] <zumbrunn_> yes, as long as the physical access to the client is secure ;-)
[11:36] <decke> yep but it is safer than passwords...
[11:37] <zumbrunn_> even when using https?
[11:38] <zumbrunn_> why is it safer?
[11:38] <decke> not safer when transferring the password thru the line
[11:38] <decke> but certs are password protected - so the can't be stolen
[11:39] <zumbrunn_> oh, yes ...but you could also have certs without passwords
[11:40] <zumbrunn_> (which is when you would need to know physical access to the client is secure)
[11:40] <decke> and you can write the password on a postit and put it on your monitor...
[11:40] <zumbrunn_> lol
[11:40] <decke> but the certs are safer when you have a keylogger on your pc
[11:41] <decke> you enter the password for the cert only when importing it - so only once
[11:42] <decke> when using http you enter it on every login...
[11:42] <zumbrunn_> ok, so it is more like a thought
[11:42] <zumbrunn_> you need to have the access to the client secured then
[11:42] <zumbrunn_> because they will be authenticated without password when accessing from that client
[11:43] <decke> the high security logins of banking websites and government sites is not much more...
[11:43] <decke> the put a client certificate on a smartcard and give you a cardreader so you can password protect the cert
[11:44] <decke> and beyond this point everything is identical to the normal client certs - as far as i know
[11:45] <zumbrunn_> can't you somehow test what happens with an invalid certificate?
[11:45] <zumbrunn_> whether req.getServletRequest().getAttribute("javax.servlet.request.X509Certificate"); is still set in that case
[11:45] <decke> i tried that... but spoofing a wrong certificate is not as easy as it seems...
[11:46] <decke> at the ssl handshake
[11:46] <decke> the server sends which CA's he trusts...
[11:47] <zumbrunn_> I suggest you ask on the helma-user mailing list then
[11:47] <decke> then the client looks at his client certs and tries to find a valid one
[11:47] <decke> and then at the request the client sends this cert ...
[11:48] <decke> so i would have to modify my browser to send a spoofed cert that is not signed by the CA that the server knows
[11:49] <decke> yeah seems like it's worth finding out and writing about it ...
[11:51] <decke> the app where i want to use it is some sort of an "home automation system"
[11:51] <decke> and i want to have an small wlan enabled PDA/MDA/iPhone that is automatically logged in
[11:52] <decke> without entering a password - or using unsecure logins... because entering a password on such a device is horrible
[11:53] <zumbrunn_> yeah, this approach makes a lot more sense for that kind of application

 

 

In the channel now:

Logs by date: