users@glassfish.java.net

Re: CLIENT-CERT AUTHENTICATION

From: Evaristo José Camarero <evaristojosec_at_yahoo.es>
Date: Tue, 30 Oct 2007 11:44:01 +0100 (CET)

Hi again:

Thanks for the explanations.

But I have still some questions.

If the certificate realm only contains groups of
users, and does not conatin users, How can the server
authenticate a user? Is it possible to get users from
other realms even when using certificate realm?

How is the authentication done? Is it matched the DN
of the certificate against the user id?

Thanks in advance for your support.

Regards,

Evaristo



--- V B Kumar Jayanti <Vbkumar.Jayanti_at_Sun.COM>
escribió:

> Hi,
>
>
> Evaristo José Camarero wrote:
>
> >Hi all:
> >
> >I would like to configure client-cert
> authentication
> >in Glassfish to authenticate some resources of my
> web
> >application.
> >
> >
> >
> For client cert authentication you need to set the
> |<auth-method>|
> subelement of the |<login-config>| element to
> |CLIENT-CERT| in your
> web.xml. You also need to set the
> |<transport-guarantee>| element to
> |CONFIDENTIAL|. (See sample below)
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Secure
> Area</web-resource-name>
>
> <url-pattern>/HelloServletService/HelloServlet
> </url-pattern>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> </role-name>EMPLOYEE</role-name>
> </auth-constraint>
> <user-data-constraint>
>
>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> <realm-name>certificate</realm-name>
> </login-config>
>
>
> >I have seen that Glassfish provides a certifite
> realm,
> >and I guess you need to include all the valid certs
> >there. Is that right? If that is the case, you need
> to
> >have all the client-certs, that probably have been
> >issued by an external CA.
> >
> >
> >
> This is not true, you never need to include all
> valid client certs ....
>
> The GF certificate realm serves to assign groups to
> the user after
> successful authentication. The groups to be
> assigned are picked up from
> the assign-groups attribute of certificate realm
> configuration in
> domain.xml.
>
> When using SSL the authentication of the client cert
> happens in the SSL
> Layer.
>
> >In my opinion the right approach is assuming that a
> >certificate is signed by a trusted CA, get data
> from
> >certificate DN, and match the data against a
> database
> >(file, ldap server...).
> >
> > This approach assumes that
> >certificates are handled by an external entity,
> >including certification renovation... So, is it
> >possible to configure Glassfish to work in this way
> >(e.g. Tomcat is able to do this)?.
> >
> >
> Yes, in GlassFish by default the trusted CA certs
> are stored in
> cacerts.jks file under domain-dir/config and you do
> not need to store
> certs of individual clients.
>
> Thanks.
>
> >
> >
> >
> >______________________________________________
> >Pregunta, Responde, Descubre.
> >Comparte tus consejos y opiniones con los usuarios
> de Yahoo! Respuestas
> >http://es.answers.yahoo.com/info/welcome
> >
>
>---------------------------------------------------------------------
> >To unsubscribe, e-mail:
> users-unsubscribe_at_glassfish.dev.java.net
> >For additional commands, e-mail:
> users-help_at_glassfish.dev.java.net
> >
> >
> >
>
>



       
______________________________________________
Pregunta, Responde, Descubre.
Comparte tus consejos y opiniones con los usuarios de Yahoo! Respuestas
http://es.answers.yahoo.com/info/welcome