Implicit authentication method that gets credentials from the X.509 client
certificate supplied by the HTTPS client when connecting to this server. The
email address in that certificate is taken as the authenticated user name
with no further checking, so be sure your HTTP server (e.g. Tomcat) is
configured correctly to accept only client certificates it can validate.
See the AuthenticationMethod
interface for more details.
Configuration:
x509.keystore.path =
path to Java keystore file
keystore.password =
password to access the keystore
ca.cert =
path to certificate file for CA whose client certs to accept.
autoregister =
"true" if E-Person is created automatically for unknown new users.
groups =
comma-delimited list of special groups to add user to if authenticated.
emaildomain =
email address domain (after the 'at' symbol) to match before allowing
membership in special groups.
Only one of the "
keystore.path
" or "
ca.cert
"
options is required. If you supply a keystore, then all of the "trusted"
certificates in the keystore represent CAs whose client certificates will be
accepted. The
ca.cert
option only allows a single CA to be
named.
You can configure both a keystore and a CA cert, and both will be
used.
The autoregister
configuration parameter determines what the
canSelfRegister()
method returns. It also allows an EPerson
record to be created automatically when the presented certificate is
acceptable but there is no corresponding EPerson.