users@glassfish.java.net

Re: question about security-constraint and web service security

From: <Jan.Luehe_at_Sun.COM>
Date: Thu, 02 Aug 2007 10:21:20 -0700

Jan.Luehe_at_Sun.COM wrote:

> Hi Legolas,
>
> Legolas Woodland wrote:
>
>> Thank you for reading my post
>> Can some one please explain me what is differences between using
>> following items in web descriptor and changing the entire htt
>> listener to use ssl?
>> what happens that a listener serve request to this servlet over https
>> and other request over http?
>>
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Secure Area</web-resource-name>
>> <url-pattern>/HelloServletService/HelloServlet
>> </url-pattern>
>> <http-method>POST</http-method>
>> </web-resource-collection>
>> <auth-constraint>
>> </role-name>EMPLOYEE</role-name>
>> </auth-constraint>
>> <user-data-constraint>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint>
>> </security-constraint>
>> <login-config>
>> <auth-method>CLIENT-CERT</auth-method>
>> <realm-name>certificate</realm-name>
>> </login-config>
>>
>>
>
> When you try to access /HelloServletService/HelloServlet,
> the following will happen:
>
> - If the request has been received over http, the requested transport
> guarantee of "CONFIDENTIAL" will cause the request to be redirected
> to the https listener.
>
> - If the https listener on which the redirected request is received
> does not enforce client authentication (via the "client-auth-enabled"
> attribute of its <ssl> configuration element in domain.xml), the
> container will cause an SSL re-handshake to occur, with client auth
> enabled. This will address the CLIENT-CERT authentication constraint.


Just to clarify the 2nd bullet point: If the https listener already enforces
client auth, there is no need for an SSL *re*-handshake, i.e., the
client will
be asked to authenticate herself during the *initial* SSL handshake.


Jan


>
>> Another question related to this matter is, what does
>> "<realm-name>certificate</realm-name>" do here?
>> how does it works and understand which certification it should use?
>>
>
> The "certificate" realm helps the server decide whether the SSL cert
> chain supplied by the client may be trusted, by validating the chain
> against the server's trust store (of trusted certificates).
>
>
> Jan
>
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.