Package org.apache.cassandra.auth

Interface MutualTlsCertificateValidator

  • All Known Implementing Classes:
    SpiffeCertificateValidator
    public interface MutualTlsCertificateValidator
    Interface for certificate validation and authorization for mTLS authenticators. This interface can be implemented to provide logic for extracting custom identities from client certificates to uniquely identify the certificates. It can also be used to provide custom authorization logic to authenticate clients using client certificates during mTLS connections.

    • Method Summary

      All Methods Instance Methods Abstract Methods 
      Modifier and Type Method Description
      java.lang.String identity​(java.security.cert.Certificate[] clientCertificateChain)
      This method should provide logic to extract identity out of a certificate to perform mTLS authentication.
      boolean isValidCertificate​(java.security.cert.Certificate[] clientCertificateChain)
      Perform any checks that are to be performed on the certificate before making authorization check to grant the access to the client during mTLS connection.

    • Method Detail

      • isValidCertificate

        boolean isValidCertificate​(java.security.cert.Certificate[] clientCertificateChain)
        Perform any checks that are to be performed on the certificate before making authorization check to grant the access to the client during mTLS connection. For example - Verifying CA information - Checking CN information - Validating Issuer information - Checking organization information etc
        Parameters:
        clientCertificateChain - client certificate chain
        Returns:
        returns if the certificate is valid or not

      • identity

        java.lang.String identity​(java.security.cert.Certificate[] clientCertificateChain)
                   throws AuthenticationException
        This method should provide logic to extract identity out of a certificate to perform mTLS authentication. An example of identity could be the following - an identifier in SAN of the certificate like SPIFFE - CN of the certificate - any other fields in the certificate can be combined and be used as identifier of the certificate
        Parameters:
        clientCertificateChain - client certificate chain
        Returns:
        identifier extracted from certificate
        Throws:
        AuthenticationException - when identity cannot be extracted