We do allow custom certificate authentication where you can check if the certificate belongs to someone authorized to perform the operation.
1. The current option in GlassFish is to access the cert of the client within the EndPoint Implementation and do the authorization checks.
2. We do support custom certificate Validator when running on Non-GlassFish containers
3. For GlassFish and other container's in future we are currently implementing a Token PostValidation hook that allows developers to specify a JSR 196 Authentication Module where the developers can do additional checks on tokens/certificates besides the default trusted CA validation.
Alternatively you can use Username Authentication with Symmetric keys as well if that works for you. Again in that profile the client is implicitly trusting the server (because it would need to have the server's cert in its client truststore, this cert would be used to encrypt information for the server).
Thanks.
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]
http://forums.java.net/jive/thread.jspa?messageID=239068