Hi,
Evaristo José Camarero wrote:
>Some help, or some doc that I can check...
>
>
>
It should be possible for you to write a custom JSR 196 Authentication
Module where you can do any kind of custom checks. We will try to get a
detailed blog out on this soon.
Thanks.
>Regards,
>
>EVaristo
>
>--- Evaristo José Camarero <evaristojosec_at_yahoo.es>
>escribió:
>
>
>
>>Hi:
>>
>>Of course, my intention it is to match a DN
>>certificate against a database, because otherwise
>>then
>>I am not authenticating (OK I know that the
>>certificate is just trusted, but I want to know who
>>is
>>the user that owns the certificate, just to provide
>>a
>>personalized service).
>>
>>Regards,
>>
>>Evaristo
>>
>>--- V B Kumar Jayanti <Vbkumar.Jayanti_at_Sun.COM>
>>escribió:
>>
>>
>>
>>>Evaristo José Camarero wrote:
>>>
>>>
>>>
>>>>Hi again:
>>>>
>>>>Thanks for the explanations.
>>>>
>>>>But I have still some questions.
>>>>
>>>>If the certificate realm only contains groups of
>>>>users, and does not conatin users, How can the
>>>>
>>>>
>>>server
>>>
>>>
>>>>authenticate a user?
>>>>
>>>>
>>>>
>>>When SSL is used, The server authenticates the
>>>Client Cert for validity
>>>and ensures that the client cert is a Trusted
>>>
>>>
>>Cert.
>>
>>
>>>>Is it possible to get users from
>>>>other realms even when using certificate realm?
>>>>
>>>>How is the authentication done? Is it matched the
>>>>
>>>>
>>>DN
>>>
>>>
>>>>of the certificate against the user id?
>>>>
>>>>Thanks in advance for your support.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>If i understand correctly you would want to match
>>>the DN of the Cert
>>>with some user-list stored somewhere is that
>>>
>>>
>>correct
>>
>>
>>>?.
>>>
>>>Thanks,
>>>kumar
>>>
>>>
>>>
>>>>Regards,
>>>>
>>>>Evaristo
>>>>
>>>>
>>>>
>>>>--- V B Kumar Jayanti <Vbkumar.Jayanti_at_Sun.COM>
>>>>escribió:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Hi,
>>>>>
>>>>>
>>>>>Evaristo José Camarero wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Hi all:
>>>>>>
>>>>>>I would like to configure client-cert
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>authentication
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>in Glassfish to authenticate some resources of
>>>>>>
>>>>>>
>>my
>>
>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>web
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>application.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>For client cert authentication you need to set
>>>>>
>>>>>
>>the
>>
>>
>>>>>|<auth-method>|
>>>>>subelement of the |<login-config>| element to
>>>>>|CLIENT-CERT| in your
>>>>>web.xml. You also need to set the
>>>>>|<transport-guarantee>| element to
>>>>>|CONFIDENTIAL|. (See sample below)
>>>>>
>>>>><security-constraint>
>>>>> <web-resource-collection>
>>>>> <web-resource-name>Secure
>>>>>Area</web-resource-name>
>>>>>
>>>>><url-pattern>/HelloServletService/HelloServlet
>>>>> </url-pattern>
>>>>> <http-method>POST</http-method>
>>>>> </web-resource-collection>
>>>>> <auth-constraint>
>>>>> </role-name>EMPLOYEE</role-name>
>>>>> </auth-constraint>
>>>>> <user-data-constraint>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>><transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>
>>
>>>>
>>>>
>>>>
>>>>
>>>>> </user-data-constraint>
>>>>> </security-constraint>
>>>>> <login-config>
>>>>> <auth-method>CLIENT-CERT</auth-method>
>>>>> <realm-name>certificate</realm-name>
>>>>> </login-config>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>I have seen that Glassfish provides a certifite
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>realm,
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>and I guess you need to include all the valid
>>>>>>
>>>>>>
>>>certs
>>>
>>>
>>>>>>there. Is that right? If that is the case, you
>>>>>>
>>>>>>
>>>need
>>>
>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>to
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>have all the client-certs, that probably have
>>>>>>
>>>>>>
>>>been
>>>
>>>
>>>>>>issued by an external CA.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>This is not true, you never need to include all
>>>>>valid client certs ....
>>>>>
>>>>>The GF certificate realm serves to assign groups
>>>>>
>>>>>
>>>to
>>>
>>>
>>>>>the user after
>>>>>successful authentication. The groups to be
>>>>>assigned are picked up from
>>>>>the assign-groups attribute of certificate
>>>>>
>>>>>
>>realm
>>
>>
>>>>>configuration in
>>>>>domain.xml.
>>>>>
>>>>>When using SSL the authentication of the client
>>>>>
>>>>>
>>>cert
>>>
>>>
>>>>>happens in the SSL
>>>>>Layer.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>In my opinion the right approach is assuming
>>>>>>
>>>>>>
>>that
>>
>>
>>>a
>>>
>>>
>>>>>>certificate is signed by a trusted CA, get data
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>from
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>certificate DN, and match the data against a
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>database
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>(file, ldap server...).
>>>>>>
>>>>>>This approach assumes that
>>>>>>certificates are handled by an external entity,
>>>>>>including certification renovation... So, is it
>>>>>>possible to configure Glassfish to work in this
>>>>>>
>>>>>>
>=== message truncated ===
>
>
>
>
>______________________________________________
>Pregunta, Responde, Descubre.
>Comparte tus consejos y opiniones con los usuarios de Yahoo! Respuestas
>http://es.answers.yahoo.com/info/welcome
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>
>