11 Feb
2010
11 Feb
'10
8:24 p.m.
On 02/10/2010 12:44 PM, Story Henry wrote:
Hi,
Having got Xwiki to produce RDFa (very easy), and having switched of
Twitter to allow me to concentrate,I am now working on allowing a
user to click a button in his profile, and have it create a foaf+ssl
certificate (which is just a normal certificate, but with a URL in
the subject alternative name). The code for this is very simple:
http://github.com/harbulot/keygenapp/blob/master/samplewebapp/src/main/java…
(with a few lines of tweaks required to add the certificate
information to the profile page).
What happens is that a<keygen> XML element is added to a<form>
element in the user's profile page. This forces the browser (Safari,
Firefox, Opera) to create a<public, private> key pair and send the
public part to the servlet referred to above (MiniCaServlet). That
What about IE? Not that I like it, but most enterprise users are still
on IE6.
servlet creates a certificate and sends it back to an
invisible
iframe. The browser then adds that cert to the keystore (this is done
automatically, it's part of browser behavior).
Do you have a link to some documentation about this behavior?
So to move this code to XWiki, I understand I should
create a
component. I read about it here:
http://platform.xwiki.org/xwiki/bin/view/DevGuide/WritingComponents
Yes, that's the right approach. You should also read about the new
scripting service, see http://jira.xwiki.org/jira/browse/XWIKI-4853 and
http://markmail.org/thread/g4z56pl734lng2ym
and it makes sense. From a component I can get the
user, and from
that I can get his profile page, and then I can add the public key
information to his profile (I wrote a RSAKeyClass in Xwiki to do
this).
RSAKeyClass as a class inside com.xpn.xwiki.objects.classes, similar to
PasswordClass, NumberClass and the like? Yes, that is good. You also
need a RSAKeyMetaClass in com.xpn.xwiki.objects.meta, and register it in
com.xpn.xwiki.objects.meta.MetaClass
Alternatively, you could just use the TextAreaClass for the moment,
although that's 0 security.
The component should finally send the newly generated
certificate
back to the client, which it can do because it has access the the
HTTPServletResponse.
But where would I put such a component? In a specific wiki page?
Better as a jar inside WEB-INF/lib. Given that it adds a new property
type to the data model, it should be a key component inside the platform.
Does all that make sense? If not let me know before I
go and code it
up.
Looks good to me so far, but I have a couple more questions/suggestions:
- You must make sure that the private key can't be publicly accessed
- What do you plan to do with these keys afterwards?
- The process that you described (browser creates key, sends public part
to server, server creates certificate and sends back to browser) does
not mention anything about what happens within the user profile. Could
you go into more details?
Henry
PS. It would be fun later to have the User's Profile page be a bit
Ajaxy, so that if it notices a change to the invisible iframe the
browser can make a reques to XWiki to refresh the table of public
keys displayed to the user.
Social Web Architect http://bblfish.net/
--
Sergiu Dumitriu
http://purl.org/net/sergiu/