Client Authentication via X.509

brianjohnson

I am interested in authenticating users via their X.509 certificates. Lightstreamer's username/password authentication mechanism is not sufficient. Normally, I would perform X.509 authentication within a servlet container by retrieving the "javax.servlet.request.X509Certificate" attribute from the HttpRequest; however, to my knowledge Lightstreamer does not provide access to the HttpRequest or any other means to access a user's certificate. Can you provide any further guidance, short of relying on an external web server's preexisting authentication mechanism, which would provide access to a user's X.509 certificate via the Lightstreamer server?

Thanks in advance for your assistance.

Dario Crivelli

Lightstreamer does not perform client authentication on its https connections,
nor does it forward the client X.509 certificate to the Metadata Adapter upon session initiation requests; the latter might be a feasible extension.

Request to the client for HTTP authentication is also not supported.
If your client can manage to force the inclusion of the certificate in the request header of all the http or https requests performed by the client library
(like a cookie, but, preferably, not as a cookie),
then your Metadata Adapter will receive it (only upon session initiation requests) in notifyUser, beside username and password, through the httpHeaders parameter.

Otherwise, the certificate would have to be embedded in some way into the username or password field.

brianjohnson

@DarioCrivelli, Wrote: Lightstreamer does not perform client authentication on its https connections,
nor does it forward the client X.509 certificate to the Metadata Adapter upon session initiation requests; the latter might be a feasible extension.

Request to the client for HTTP authentication is also not supported.
If your client can manage to force the inclusion of the certificate in the request header of all the http or https requests performed by the client library
(like a cookie, but, preferably, not as a cookie),
then your Metadata Adapter will receive it (only upon session initiation requests) in notifyUser, beside username and password, through the httpHeaders parameter.

Otherwise, the certificate would have to be embedded in some way into the username or password field.

Dario, thanks for the response.

Is there a formal process for requesting new features, such as forwarding the client's array of X509Certificates to the Metadata Adapter for authentication?

I'm considering relying on a reverse proxy server for authentication at this point, which would pass user credentials to the Lightstreamer server via the request header. Adding the complexity of a reverse proxy is clearly not an ideal for Lightstreamer (or myself).

Dario Crivelli

We are aware that an extension is possible on this matter,
but, unfortunately, nothing has been scheduled at the moment.
Explicit requests for new features can be handled as part of normal "commercial level" interactions.

Note that, in order to add certificate information to the Adapter API,
backward compatibility issues should be faced.