users@glassfish.java.net

Configuring Client Certificate Authentication for a Web Application

From: <glassfish_at_javadesktop.org>
Date: Tue, 15 May 2007 12:35:40 PDT

I am trying to set up client certificate authentication for a web application.

If I understand the FAQ at: https://glassfish.dev.java.net/javaee5/security/faq.html#configcert

correctly, all I need to do is modify my web.xml to include the following entries:

<login-config>
    <auth-method>CLIENT-CERT</auth-method>
</login-config>

and the server will then ask the client for a certificate. I added the above lines to my web.xml and deployed my application.

I tried accessing it via SSL by pointing my browser to http://localhost:8181/myapp

On purpose, I did not import any certificates into the browser, expecting some kind of access denied error. To my surprise, I was able to successfully see the output of index.jsp in my war file.

I am new to security certificates, therefore it is likely I am missing something obvious here. Can someone please point me in the right direction?

Here is my complete web.xml:

[code]
<web-app xmlns="http://java.sun.com/xml/ns/javaee" version="2.5"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
  <security-constraint>
    <web-resource-collection>
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
  <login-config>
    <auth-method>CLIENT-CERT</auth-method>
  </login-config>
</web-app>
[/code]

I'm not sure if I should be using a <realm-name> element inside <login-config>, I tried both with and without it with the same result. The realm name I was using is certificate.

It is worth noting that I am using pretty much all default settings in GlassFish, I just reinstalled it and haven't changed much. I'm not sure if I should be changing anything on the http-listener-2 on the GlassFish web console or if I need to specify the certificate security realm in the web.xml or if I need to do any kind of configuration on this realm.

Any help greatly appreciated.

Eraser
[Message sent by forum member 'eraser' (eraser)]

http://forums.java.net/jive/thread.jspa?messageID=217114
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.