Hi,
I am currently trying to meet these needs:
1-Make it possible to initiate a connection to glassfish with SSL on demand. This is needed so that I don't have to waste the resources for internal communication between the web tier and the business tier while providing confidentiality for users bypassing the web tier. In the first case the web tier will be providing the confidentiality by using for example HTTP/SSL.
2-If the client was able to provide valid and trusted certificate then he can propagate the identity to the server (see below for further questions). The propagated security context should be used in further authorizations by the EJB container.
3-Otherwise the client will be required to authenticate himself/herself using the ProgrammaticLogin interface.
For step 2, a way is needed to propagate the security context to the GlassFish, but so far I haven't found a way to achieve this. I'm using the following sun-ejb-jar.xml to reflect the mentioned needs. The bean shown below only requires the user to be authenticated and thus in any valid group (i.e. admin, support, hr, etc) which are mapped to role "ALL".
I have also stated that the confidentiality, integrity, trust in client and trust in server to be [b]SUPPORTED[/b] instead of [b]REQUIRED[/b] to fit the requirement, since each of this features is required in only one of the scenarios mentioned above (i.e. connection from web tier or client). For example, the web tier should use the trust-in-client to be able to propagate security contexts, while a client connecting directly would use the trust-in-target, confidentiality and integrity features to make sure his/her information aren't sent without encryption on the internet. Similarly for the auth_method, it isn't [b]REQUIRED[/b] since the web tier won't make use of it (actually for efficiency reason, authentication shouldn't be enforced on the connections made by the web tier) but still needed by other clients with a direct connection to the GlassFish server.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 EJB 3.0//EN" "
http://www.sun.com/software/appserver/dtds/sun-ejb-jar_3_0-0.dtd">
<sun-ejb-jar>
<security-role-mapping>
<role-name>ALL</role-name>
<group-name>admin</group-name>
<group-name>support</group-name>
<group-name>hr</group-name>
<group-name>employee</group-name>
</security-role-mapping>
<enterprise-beans>
<ejb>
<ejb-name>UserBean</ejb-name>
<jndi-name>UserBean</jndi-name>
<ior-security-config>
<transport-config>
<integrity>SUPPORTED</integrity>
<confidentiality>SUPPORTED</confidentiality>
<establish-trust-in-target>SUPPORTED</establish-trust-in-target>
<establish-trust-in-client>SUPPORTED</establish-trust-in-client>
</transport-config>
<as-context>
<auth-method>USERNAME_PASSWORD</auth-method>
<realm>MyRealm</realm>
<required>false</required>
</as-context>
<sas-context>
<caller-propagation>SUPPORTED</caller-propagation>
</sas-context>
</ior-security-config>
</ejb>
</enterprise-beans>
</sun-ejb-jar>
All answers and clarification will be appreciated,
John.
[Message sent by forum member 'jvshahid' (jvshahid)]
http://forums.java.net/jive/thread.jspa?messageID=254370