SSO via client SSL certificates

Support for authentication using client side SSL certificate. This authentication type is actually kind of SSO. Gerrit will configure Jetty's SSL channel to request client's SSL certificate. For this authentication to work a Gerrit administrator has to import the root certificate of the trust chain used to issue the client's certificate into the <review-site>/etc/keystore. For the Gerrit's server side SSL certificate one can use a certificate signed by a CA or a self-signed certificate. After the authentication is done Gerrit will obtain basic user registration (name and email) from LDAP, and some group memberships. Change-Id: Ic076178f844f05b73be5d7c8fe9c8bb29b458f26
2010-10-04 15:47:08 +02:00
parent e5669acc57
commit eabc89728c
10 changed files with 173 additions and 3 deletions
--- a/gerrit-reviewdb/src/main/java/com/google/gerrit/reviewdb/AuthType.java
+++ b/gerrit-reviewdb/src/main/java/com/google/gerrit/reviewdb/AuthType.java
@@ -39,6 +39,21 @@ public enum AuthType {
   */
  HTTP_LDAP,

+  /**
+   * Login via client SSL certificate.
+   * <p>
+   * This authentication type is actually kind of SSO. Gerrit will configure
+   * Jetty's SSL channel to request client's SSL certificate. For this
+   * authentication to work a Gerrit administrator has to import the root
+   * certificate of the trust chain used to issue the client's certificate
+   * into the <review-site>/etc/keystore.
+   * <p>
+   * After the authentication is done Gerrit will obtain basic user
+   * registration (name and email) from LDAP, and some group memberships.
+   * Therefore, the "_LDAP" suffix in the name of this authentication type.
+   */
+  CLIENT_SSL_CERT_LDAP,
+
  /**
   * Login collects username and password through a web form, and binds to LDAP.
   * <p>