I am creating a Vaadin web application that requires users to authenticate via login and password, I would like to know if it is possible to add CAC authentication as another mean of authentication.
In summary, my goal is to allow access to the website if the user is already authenticated with its CAC or require standard login (name/password) if the user is not CAC authenticated
By searching and googling around I have found Java PKCS#11, but it looks like it is a library for desktop integration.
Also I have seen this and this posts, that look similar to my situation but actually they are not. The first one talks about requirement of certification for the whole web application by configuring a web server. The second one presents Java PKCS#11 as desktop solution.
Again, what I wish to have is a "parallel" login, if the browser sends a CAC certificate to the server, the server should not require standard login, otherwise yes. Is it possible? Also, if the CAC certificate is sent to the server is there a way to retrieve data about this CAC, like owner's name?
In a correctly configured servlet container you can use this to read the client certificate (if any exists)
String cipherSuite = (String) req.getAttribute("javax.servlet.request.cipher_suite");
if (cipherSuite != null) {
X509Certificate certChain[] = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
if (certChain != null) {
for (int i = 0; i < certChain.length; i++) {
System.out.println ("Client Certificate [" + i + "] = "
+ certChain[i].toString());
}
}
}