Results 1 to 4 of 4
  1. #1
    Member
    Join Date
    Oct 2009
    Location
    Odenton
    Posts
    4

    Question Client Authentication via X.509

    I am interested in authenticating users via their X.509 certificates. Lightstreamer's username/password authentication mechanism is not sufficient. Normally, I would perform X.509 authentication within a servlet container by retrieving the "javax.servlet.request.X509Certificate" attribute from the HttpRequest; however, to my knowledge Lightstreamer does not provide access to the HttpRequest or any other means to access a user's certificate. Can you provide any further guidance, short of relying on an external web server's preexisting authentication mechanism, which would provide access to a user's X.509 certificate via the Lightstreamer server?

    Thanks in advance for your assistance.

  2. #2
    Administrator
    Join Date
    Jul 2006
    Location
    Milan
    Posts
    975
    Lightstreamer does not perform client authentication on its https connections,
    nor does it forward the client X.509 certificate to the Metadata Adapter upon session initiation requests; the latter might be a feasible extension.

    Request to the client for HTTP authentication is also not supported.
    If your client can manage to force the inclusion of the certificate in the request header of all the http or https requests performed by the client library
    (like a cookie, but, preferably, not as a cookie),
    then your Metadata Adapter will receive it (only upon session initiation requests) in notifyUser, beside username and password, through the httpHeaders parameter.

    Otherwise, the certificate would have to be embedded in some way into the username or password field.

  3. #3
    Member
    Join Date
    Oct 2009
    Location
    Odenton
    Posts
    4
    Quote Originally Posted by DarioCrivelli
    Lightstreamer does not perform client authentication on its https connections,
    nor does it forward the client X.509 certificate to the Metadata Adapter upon session initiation requests; the latter might be a feasible extension.

    Request to the client for HTTP authentication is also not supported.
    If your client can manage to force the inclusion of the certificate in the request header of all the http or https requests performed by the client library
    (like a cookie, but, preferably, not as a cookie),
    then your Metadata Adapter will receive it (only upon session initiation requests) in notifyUser, beside username and password, through the httpHeaders parameter.

    Otherwise, the certificate would have to be embedded in some way into the username or password field.
    Dario, thanks for the response.

    Is there a formal process for requesting new features, such as forwarding the client's array of X509Certificates to the Metadata Adapter for authentication?

    I'm considering relying on a reverse proxy server for authentication at this point, which would pass user credentials to the Lightstreamer server via the request header. Adding the complexity of a reverse proxy is clearly not an ideal for Lightstreamer (or myself).

  4. #4
    Administrator
    Join Date
    Jul 2006
    Location
    Milan
    Posts
    975
    We are aware that an extension is possible on this matter,
    but, unfortunately, nothing has been scheduled at the moment.
    Explicit requests for new features can be handled as part of normal "commercial level" interactions.

    Note that, in order to add certificate information to the Adapter API,
    backward compatibility issues should be faced.

 

 

Similar Threads

  1. User Authentication Issue
    By karthik655 in forum Client APIs
    Replies: 3
    Last Post: May 3rd, 2012, 11:07 AM
  2. Authentication with LiteralBasedProvider and NetworkedDataProvider
    By exchangepulse in forum Adapter Protocol
    Replies: 2
    Last Post: March 19th, 2009, 08:37 PM
  3. Authentication with Metadata Adapter
    By stephenlam in forum Adapter APIs
    Replies: 4
    Last Post: December 12th, 2008, 11:52 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT +1. The time now is 11:00 PM.