Current File(s): conf/c14n/subject-c14n.properties, conf/c14n/subject-c14n.xml
Format: Properties, Native Spring
Overview
The “x500” post-login subject c14n method extracts a username from a Java Subject that contains either a single X509Certificate object in the public credentials set or a single X500Principal in the Principal set. It is primarily designed to work in conjunction with the X509 or X509Internal login flows (i.e., certificate-based authentication).
Configuration
Method Settings
Use conf/c14n/subject-c14n.properties to configure this method.
If your system has been upgraded, you may continue to use conf/c14n/x500-subject-c14n-config.xml as before, or you may remove it, while ensuring the new properties are being loaded.
The regular expression replacement feature is the only one remaining that still requires XML and you may define that bean, if needed, in conf/c14n/subject-c14n.xml
By default, the subject DN is searched for a "CN" RDN attribute (with OID 2.5.4.3). You can configure alternative attributes to search for, or give preference to subjectAltName extensions (if an X509Certificate is present).
By default, the only transform applied to the result is a trim of leading or trailing whitespace. Case-folding and regular expression replacements can be added, per the reference section below.
Enabling this Method
It is possible to configure two instances of this method at the same time with different settings. The default instance is configured with a set of global properties, so defining a second instance of it with different settings requires adding a bean to conf/c14n/subject-c14n.xml. This bean can be defined at the top level of the file and needs a unique ID to reference in the login flow property example above. It does not have to carry the “c14n/” prefix but this is useful for clarity.
As an example, to define a second instance with a rule to lower case the input (without applying that same rule to the default instance of course):
<beanid="c14n/x500-lower"parent="c14n/x500" p:lowercase="true" />
That then allows you to reference “c14n/x500-lower” in a login flow’s property as above.