users@glassfish.java.net

Re: CLIENT-CERT AUTHENTICATION

From: V B Kumar Jayanti <Vbkumar.Jayanti_at_Sun.COM>
Date: Tue, 30 Oct 2007 17:59:50 +0530

Evaristo José Camarero wrote:

>Hi again:
>
>Thanks for the explanations.
>
>But I have still some questions.
>
>If the certificate realm only contains groups of
>users, and does not conatin users, How can the server
>authenticate a user?
>
When SSL is used, The server authenticates the Client Cert for validity
and ensures that the client cert is a Trusted Cert.

>Is it possible to get users from
>other realms even when using certificate realm?
>
>How is the authentication done? Is it matched the DN
>of the certificate against the user id?
>
>Thanks in advance for your support.
>
>
>
If i understand correctly you would want to match the DN of the Cert
with some user-list stored somewhere is that correct ?.

Thanks,
kumar

>Regards,
>
>Evaristo
>
>
>
>--- V B Kumar Jayanti <Vbkumar.Jayanti_at_Sun.COM>
>escribió:
>
>
>
>>Hi,
>>
>>
>>Evaristo José Camarero wrote:
>>
>>
>>
>>>Hi all:
>>>
>>>I would like to configure client-cert
>>>
>>>
>>authentication
>>
>>
>>>in Glassfish to authenticate some resources of my
>>>
>>>
>>web
>>
>>
>>>application.
>>>
>>>
>>>
>>>
>>>
>>For client cert authentication you need to set the
>>|<auth-method>|
>>subelement of the |<login-config>| element to
>>|CLIENT-CERT| in your
>>web.xml. You also need to set the
>>|<transport-guarantee>| element to
>>|CONFIDENTIAL|. (See sample below)
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Secure
>>Area</web-resource-name>
>>
>><url-pattern>/HelloServletService/HelloServlet
>> </url-pattern>
>> <http-method>POST</http-method>
>> </web-resource-collection>
>> <auth-constraint>
>> </role-name>EMPLOYEE</role-name>
>> </auth-constraint>
>> <user-data-constraint>
>>
>>
>>
>>
><transport-guarantee>CONFIDENTIAL</transport-guarantee>
>
>
>> </user-data-constraint>
>> </security-constraint>
>> <login-config>
>> <auth-method>CLIENT-CERT</auth-method>
>> <realm-name>certificate</realm-name>
>> </login-config>
>>
>>
>>
>>
>>>I have seen that Glassfish provides a certifite
>>>
>>>
>>realm,
>>
>>
>>>and I guess you need to include all the valid certs
>>>there. Is that right? If that is the case, you need
>>>
>>>
>>to
>>
>>
>>>have all the client-certs, that probably have been
>>>issued by an external CA.
>>>
>>>
>>>
>>>
>>>
>>This is not true, you never need to include all
>>valid client certs ....
>>
>>The GF certificate realm serves to assign groups to
>>the user after
>>successful authentication. The groups to be
>>assigned are picked up from
>>the assign-groups attribute of certificate realm
>>configuration in
>>domain.xml.
>>
>>When using SSL the authentication of the client cert
>>happens in the SSL
>>Layer.
>>
>>
>>
>>>In my opinion the right approach is assuming that a
>>>certificate is signed by a trusted CA, get data
>>>
>>>
>>from
>>
>>
>>>certificate DN, and match the data against a
>>>
>>>
>>database
>>
>>
>>>(file, ldap server...).
>>>
>>>This approach assumes that
>>>certificates are handled by an external entity,
>>>including certification renovation... So, is it
>>>possible to configure Glassfish to work in this way
>>>(e.g. Tomcat is able to do this)?.
>>>
>>>
>>>
>>>
>>Yes, in GlassFish by default the trusted CA certs
>>are stored in
>>cacerts.jks file under domain-dir/config and you do
>>not need to store
>>certs of individual clients.
>>
>>Thanks.
>>
>>
>>
>>>
>>>______________________________________________
>>>Pregunta, Responde, Descubre.
>>>Comparte tus consejos y opiniones con los usuarios
>>>
>>>
>>de Yahoo! Respuestas
>>
>>
>>>http://es.answers.yahoo.com/info/welcome
>>>
>>>
>>>
>>---------------------------------------------------------------------
>>
>>
>>>To unsubscribe, e-mail:
>>>
>>>
>>users-unsubscribe_at_glassfish.dev.java.net
>>
>>
>>>For additional commands, e-mail:
>>>
>>>
>>users-help_at_glassfish.dev.java.net
>>
>>
>>>
>>>
>>>
>>>
>>
>>
>
>
>
>
>______________________________________________
>Pregunta, Responde, Descubre.
>Comparte tus consejos y opiniones con los usuarios de Yahoo! Respuestas
>http://es.answers.yahoo.com/info/welcome
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>
>