Package org.apache.solr.security.cert

Class PathBasedCertPrincipalResolver

java.lang.Object

org.apache.solr.security.cert.PathBasedCertResolverBase

org.apache.solr.security.cert.PathBasedCertPrincipalResolver

All Implemented Interfaces:

CertPrincipalResolver

public class PathBasedCertPrincipalResolver
extends PathBasedCertResolverBase
implements CertPrincipalResolver

Implements a CertPrincipalResolver that resolves a Principal from an X509 certificate based on configurable paths, filters, and optional extraction patterns. This resolver can extract principal information from various certificate fields, such as Subject DN or SAN fields, according to the specified path. Additionally, it can further refine the extracted value based on optional "after" and "before" patterns, allowing for more precise control over the principal value.

Example configuration without extraction pattern:

 "principalResolver": {
   "class":"solr.PathBasedCertPrincipalResolver",
   "params": {
     "path":"SAN.email",
     "filter":{
       "checkType":"startsWith",
       "values":["user@example"]
     }
   }
 }
 

In this configuration, the resolver is directed to extract email addresses from the SAN (Subject Alternative Name) field of the certificate and use them as principal names if they match the specified filter criteria.

Example configuration with extraction pattern:

 "principalResolver": {
   "class":"solr.PathBasedCertPrincipalResolver",
   "params": {
     "path":"SAN.email",
     "filter":{
       "checkType":"startsWith",
       "values":["email_user1@example"]
     },
     "extract": {
       "after":"_",
       "before":"@"
     }
   }
 }
 

In this extended configuration, after extracting email addresses that match the filter criteria, the resolver further processes the extracted value to include only the portion after the "_" symbol and before "@". This allows for extracting specific parts of the principal value, providing additional flexibility and control.

Constructor Summary

Constructors

Constructor	Description
PathBasedCertPrincipalResolver(Map<String,Object> params)	Constructs a new PathBasedCertPrincipalResolver with the specified configuration parameters.

Method Summary

Modifier and Type	Method	Description
Principal	resolvePrincipal(X509Certificate certificate)	Resolves the principal from the given X509 certificate based on the configured path and filter.

Methods inherited from class org.apache.solr.security.cert.PathBasedCertResolverBase

createCertResolverPattern, getValuesFromPaths

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

PathBasedCertPrincipalResolver

public PathBasedCertPrincipalResolver(Map<String,Object> params)

Constructs a new PathBasedCertPrincipalResolver with the specified configuration parameters.

Parameters:

params - The configuration parameters specifying the path and filter for extracting principal information from certificates.

Method Details

resolvePrincipal

public Principal resolvePrincipal(X509Certificate certificate)
                           throws SSLPeerUnverifiedException,
CertificateParsingException

Resolves the principal from the given X509 certificate based on the configured path and filter. The first matching value, if any, is used as the principal name.

Specified by:

resolvePrincipal in interface CertPrincipalResolver

Parameters:

certificate - The X509Certificate from which to resolve the principal.

Returns:

A Principal object representing the resolved principal from the certificate.

Throws:

SSLPeerUnverifiedException - If the SSL peer is not verified.

CertificateParsingException - If parsing the certificate fails.