users@glassfish.java.net

Re: CLIENT-CERT AUTHENTICATION

From: V B Kumar Jayanti <Vbkumar.Jayanti_at_Sun.COM>
Date: Tue, 30 Oct 2007 14:11:15 +0530

Hi,

 
Evaristo José Camarero wrote:

>Hi all:
>
>I would like to configure client-cert authentication
>in Glassfish to authenticate some resources of my web
>application.
>
>
>
For client cert authentication you need to set the |<auth-method>|
subelement of the |<login-config>| element to |CLIENT-CERT| in your
web.xml. You also need to set the |<transport-guarantee>| element to
|CONFIDENTIAL|. (See sample below)

 <security-constraint>
     <web-resource-collection>
       <web-resource-name>Secure Area</web-resource-name>
       <url-pattern>/HelloServletService/HelloServlet
       </url-pattern>
       <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
       </role-name>EMPLOYEE</role-name>
     </auth-constraint>
     <user-data-constraint>
       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
   </security-constraint>
   <login-config>
     <auth-method>CLIENT-CERT</auth-method>
     <realm-name>certificate</realm-name>
   </login-config>


>I have seen that Glassfish provides a certifite realm,
>and I guess you need to include all the valid certs
>there. Is that right? If that is the case, you need to
>have all the client-certs, that probably have been
>issued by an external CA.
>
>
>
This is not true, you never need to include all valid client certs ....

The GF certificate realm serves to assign groups to the user after
successful authentication. The groups to be assigned are picked up from
the assign-groups attribute of certificate realm configuration in
domain.xml.

When using SSL the authentication of the client cert happens in the SSL
Layer.

>In my opinion the right approach is assuming that a
>certificate is signed by a trusted CA, get data from
>certificate DN, and match the data against a database
>(file, ldap server...).
>
> This approach assumes that
>certificates are handled by an external entity,
>including certification renovation... So, is it
>possible to configure Glassfish to work in this way
>(e.g. Tomcat is able to do this)?.
>
>
Yes, in GlassFish by default the trusted CA certs are stored in
cacerts.jks file under domain-dir/config and you do not need to store
certs of individual clients.

Thanks.

>
>
>
>______________________________________________
>Pregunta, Responde, Descubre.
>Comparte tus consejos y opiniones con los usuarios de Yahoo! Respuestas
>http://es.answers.yahoo.com/info/welcome
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.