4

I implemented a strong authentication in a web server (apache) and it work great. but I want to implement a java class that have to compare cac ID and suject name to the ones presents on java .properties file or XML

Cœur
  • 37,241
  • 25
  • 195
  • 267
xfocus
  • 47
  • 9

1 Answers1

3

Not sure about your deployment but for example if you need to do that from a servlet deployed in Tomcat you could do: 

X509Certificate[] certs = (X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");

If the client has send certificates then certs will have them and you can do the check you need and possibly reject according to your needs.
Note that this will happen after the SSL handshake has finished.

Cratylus
  • 52,998
  • 69
  • 209
  • 339
  • how can i manage or detect smart card removal event? and how to disconnect the client after. – xfocus Sep 12 '12 at 10:21
  • @xfocus:You did not mention this in the OP.And I don't know how you could detect this.Depends on your client program? – Cratylus Sep 12 '12 at 16:33
  • my middleware application(gemalto classic client) can detect and remove client certificate from personnal certificate store,after the card is removed,but i don't know how to take advantage of that. – xfocus Sep 12 '12 at 17:13
  • @xfocus:Perhaps send a message to server to indicate this happened? – Cratylus Sep 12 '12 at 20:47
  • i don't realy know how to do that.cose the classic client only remove the client certificate so how the server will be informed? – xfocus Sep 13 '12 at 08:00
  • @xfocus:Assuming that gemalto (have never used this) is just a library to access smart card and you send the credentials via an https client, you could register a listener and on removal, send a "special" message to your server – Cratylus Sep 13 '12 at 16:44