Some help, or some doc that I can check...
Regards,
EVaristo
--- Evaristo José Camarero <evaristojosec_at_yahoo.es>
escribió:
>
> Hi:
>
> Of course, my intention it is to match a DN
> certificate against a database, because otherwise
> then
> I am not authenticating (OK I know that the
> certificate is just trusted, but I want to know who
> is
> the user that owns the certificate, just to provide
> a
> personalized service).
>
> Regards,
>
> Evaristo
>
> --- V B Kumar Jayanti <Vbkumar.Jayanti_at_Sun.COM>
> escribió:
>
> > Evaristo José Camarero wrote:
> >
> > >Hi again:
> > >
> > >Thanks for the explanations.
> > >
> > >But I have still some questions.
> > >
> > >If the certificate realm only contains groups of
> > >users, and does not conatin users, How can the
> > server
> > >authenticate a user?
> > >
> > When SSL is used, The server authenticates the
> > Client Cert for validity
> > and ensures that the client cert is a Trusted
> Cert.
> >
> > >Is it possible to get users from
> > >other realms even when using certificate realm?
> > >
> > >How is the authentication done? Is it matched the
> > DN
> > >of the certificate against the user id?
> > >
> > >Thanks in advance for your support.
> > >
> > >
> > >
> > If i understand correctly you would want to match
> > the DN of the Cert
> > with some user-list stored somewhere is that
> correct
> > ?.
> >
> > Thanks,
> > kumar
> >
> > >Regards,
> > >
> > >Evaristo
> > >
> > >
> > >
> > >--- V B Kumar Jayanti <Vbkumar.Jayanti_at_Sun.COM>
> > >escribió:
> > >
> > >
> > >
> > >>Hi,
> > >>
> > >>
> > >>Evaristo José Camarero wrote:
> > >>
> > >>
> > >>
> > >>>Hi all:
> > >>>
> > >>>I would like to configure client-cert
> > >>>
> > >>>
> > >>authentication
> > >>
> > >>
> > >>>in Glassfish to authenticate some resources of
> my
> > >>>
> > >>>
> > >>web
> > >>
> > >>
> > >>>application.
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>For client cert authentication you need to set
> the
> > >>|<auth-method>|
> > >>subelement of the |<login-config>| element to
> > >>|CLIENT-CERT| in your
> > >>web.xml. You also need to set the
> > >>|<transport-guarantee>| element to
> > >>|CONFIDENTIAL|. (See sample below)
> > >>
> > >> <security-constraint>
> > >> <web-resource-collection>
> > >> <web-resource-name>Secure
> > >>Area</web-resource-name>
> > >>
> > >><url-pattern>/HelloServletService/HelloServlet
> > >> </url-pattern>
> > >> <http-method>POST</http-method>
> > >> </web-resource-collection>
> > >> <auth-constraint>
> > >> </role-name>EMPLOYEE</role-name>
> > >> </auth-constraint>
> > >> <user-data-constraint>
> > >>
> > >>
> > >>
> > >>
> >
>
><transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > >
> > >
> > >> </user-data-constraint>
> > >> </security-constraint>
> > >> <login-config>
> > >> <auth-method>CLIENT-CERT</auth-method>
> > >> <realm-name>certificate</realm-name>
> > >> </login-config>
> > >>
> > >>
> > >>
> > >>
> > >>>I have seen that Glassfish provides a certifite
> > >>>
> > >>>
> > >>realm,
> > >>
> > >>
> > >>>and I guess you need to include all the valid
> > certs
> > >>>there. Is that right? If that is the case, you
> > need
> > >>>
> > >>>
> > >>to
> > >>
> > >>
> > >>>have all the client-certs, that probably have
> > been
> > >>>issued by an external CA.
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>This is not true, you never need to include all
> > >>valid client certs ....
> > >>
> > >>The GF certificate realm serves to assign groups
> > to
> > >>the user after
> > >>successful authentication. The groups to be
> > >>assigned are picked up from
> > >>the assign-groups attribute of certificate
> realm
> > >>configuration in
> > >>domain.xml.
> > >>
> > >>When using SSL the authentication of the client
> > cert
> > >>happens in the SSL
> > >>Layer.
> > >>
> > >>
> > >>
> > >>>In my opinion the right approach is assuming
> that
> > a
> > >>>certificate is signed by a trusted CA, get data
> > >>>
> > >>>
> > >>from
> > >>
> > >>
> > >>>certificate DN, and match the data against a
> > >>>
> > >>>
> > >>database
> > >>
> > >>
> > >>>(file, ldap server...).
> > >>>
> > >>>This approach assumes that
> > >>>certificates are handled by an external entity,
> > >>>including certification renovation... So, is it
> > >>>possible to configure Glassfish to work in this
>
=== message truncated ===
______________________________________________
Pregunta, Responde, Descubre.
Comparte tus consejos y opiniones con los usuarios de Yahoo! Respuestas
http://es.answers.yahoo.com/info/welcome