users@glassfish.java.net

Re: CLIENT-CERT AUTHENTICATION

From: Evaristo José Camarero <evaristojosec_at_yahoo.es>
Date: Tue, 30 Oct 2007 14:51:05 +0100 (CET)

Hi:

Of course, my intention it is to match a DN
certificate against a database, because otherwise then
I am not authenticating (OK I know that the
certificate is just trusted, but I want to know who is
the user that owns the certificate, just to provide a
personalized service).

Regards,

Evaristo

--- V B Kumar Jayanti <Vbkumar.Jayanti_at_Sun.COM>
escribió:

> Evaristo José Camarero wrote:
>
> >Hi again:
> >
> >Thanks for the explanations.
> >
> >But I have still some questions.
> >
> >If the certificate realm only contains groups of
> >users, and does not conatin users, How can the
> server
> >authenticate a user?
> >
> When SSL is used, The server authenticates the
> Client Cert for validity
> and ensures that the client cert is a Trusted Cert.
>
> >Is it possible to get users from
> >other realms even when using certificate realm?
> >
> >How is the authentication done? Is it matched the
> DN
> >of the certificate against the user id?
> >
> >Thanks in advance for your support.
> >
> >
> >
> If i understand correctly you would want to match
> the DN of the Cert
> with some user-list stored somewhere is that correct
> ?.
>
> Thanks,
> kumar
>
> >Regards,
> >
> >Evaristo
> >
> >
> >
> >--- V B Kumar Jayanti <Vbkumar.Jayanti_at_Sun.COM>
> >escribió:
> >
> >
> >
> >>Hi,
> >>
> >>
> >>Evaristo José Camarero wrote:
> >>
> >>
> >>
> >>>Hi all:
> >>>
> >>>I would like to configure client-cert
> >>>
> >>>
> >>authentication
> >>
> >>
> >>>in Glassfish to authenticate some resources of my
> >>>
> >>>
> >>web
> >>
> >>
> >>>application.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>For client cert authentication you need to set the
> >>|<auth-method>|
> >>subelement of the |<login-config>| element to
> >>|CLIENT-CERT| in your
> >>web.xml. You also need to set the
> >>|<transport-guarantee>| element to
> >>|CONFIDENTIAL|. (See sample below)
> >>
> >> <security-constraint>
> >> <web-resource-collection>
> >> <web-resource-name>Secure
> >>Area</web-resource-name>
> >>
> >><url-pattern>/HelloServletService/HelloServlet
> >> </url-pattern>
> >> <http-method>POST</http-method>
> >> </web-resource-collection>
> >> <auth-constraint>
> >> </role-name>EMPLOYEE</role-name>
> >> </auth-constraint>
> >> <user-data-constraint>
> >>
> >>
> >>
> >>
>
><transport-guarantee>CONFIDENTIAL</transport-guarantee>
> >
> >
> >> </user-data-constraint>
> >> </security-constraint>
> >> <login-config>
> >> <auth-method>CLIENT-CERT</auth-method>
> >> <realm-name>certificate</realm-name>
> >> </login-config>
> >>
> >>
> >>
> >>
> >>>I have seen that Glassfish provides a certifite
> >>>
> >>>
> >>realm,
> >>
> >>
> >>>and I guess you need to include all the valid
> certs
> >>>there. Is that right? If that is the case, you
> need
> >>>
> >>>
> >>to
> >>
> >>
> >>>have all the client-certs, that probably have
> been
> >>>issued by an external CA.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>This is not true, you never need to include all
> >>valid client certs ....
> >>
> >>The GF certificate realm serves to assign groups
> to
> >>the user after
> >>successful authentication. The groups to be
> >>assigned are picked up from
> >>the assign-groups attribute of certificate realm
> >>configuration in
> >>domain.xml.
> >>
> >>When using SSL the authentication of the client
> cert
> >>happens in the SSL
> >>Layer.
> >>
> >>
> >>
> >>>In my opinion the right approach is assuming that
> a
> >>>certificate is signed by a trusted CA, get data
> >>>
> >>>
> >>from
> >>
> >>
> >>>certificate DN, and match the data against a
> >>>
> >>>
> >>database
> >>
> >>
> >>>(file, ldap server...).
> >>>
> >>>This approach assumes that
> >>>certificates are handled by an external entity,
> >>>including certification renovation... So, is it
> >>>possible to configure Glassfish to work in this
> way
> >>>(e.g. Tomcat is able to do this)?.
> >>>
> >>>
> >>>
> >>>
> >>Yes, in GlassFish by default the trusted CA
> certs
> >>are stored in
> >>cacerts.jks file under domain-dir/config and you
> do
> >>not need to store
> >>certs of individual clients.
> >>
> >>Thanks.
> >>
> >>
> >>
> >>>
> >>>______________________________________________
> >>>Pregunta, Responde, Descubre.
> >>>Comparte tus consejos y opiniones con los
> usuarios
> >>>
> >>>
> >>de Yahoo! Respuestas
> >>
>
=== message truncated ===



       
______________________________________________
Pregunta, Responde, Descubre.
Comparte tus consejos y opiniones con los usuarios de Yahoo! Respuestas
http://es.answers.yahoo.com/info/welcome