users@glassfish.java.net

Re: Authenticating from application client

From: <glassfish_at_javadesktop.org>
Date: Sun, 11 Nov 2007 13:22:43 PST

Hi, Shri.

The short answer is you are missing one step, but because of a bug in GlassFish even if you did that step GlassFish would still use the default realm.

1. Here is the step you missed...and quite understandably.

The documentation talks - briefly and in a few places - about the sun-acc.xml configuration file in ${domain-directory}/config.

(Normally ${domain-directory} is ${GlassFish-install-root}/domains/<domain-name> unless you specified another directory when you created the domain.)

The sun-acc.xml file contains information that the application client container (ACC) uses to set up the environment in which your client will run. GlassFish creates this file containing default values when you create a new domain. Developers and administrators are encouraged to use it as a template in creating alternate versions for particular purposes. Then you can use the -xml <file> option on the appclient command to tell the ACC to use your customized copy rather than the default file. The Deployment Guide (https://glassfish.dev.java.net/nonav/javaee5/docs/AS91ADG.pdf) shows the layout of the all GlassFish-specific descriptor files, including sun-acc.xml, and provides brief descriptions of each element.

One of the most common reasons to create a customized file is to specify multiple host and port pairs that the client can use to connect to a group of servers that participate in load-balancing and failover.

Another intended customization is which realm to use during authentication.

So, the piece of this that you missed is the customization of the file to specify the non-default realm name. To put it mildly, we did not do a very good job of documenting that you needed to do this as part of using a custom realm. So that should probably trigger a documentation bug.

But I do not think that would work because...

2. Here is the functional bug in GlassFish.

Without getting into too much detail, the ACC builds on top of the security layer in a number of places. The security layer keeps some information in a data structure about the end-user credentials to be used for authenticating the user. This layer does not currently have a place to record the realm to be used for authentication, and although the ACC could get the realm name from the sun-acc.xml it does not and even if it did it would have nowhere to store it in the security layer for use during authentication.

This is probably not what you wanted to hear, but I'm afraid that's the situation currently.

I'm going to ask the security folks to look at this and add their thoughts.

I do not see a good workaround, but I am still thinking about it.

-Tim
[Message sent by forum member 'tjquinn' (tjquinn)]

http://forums.java.net/jive/thread.jspa?messageID=244970