users@glassfish.java.net

Re: Client Certificate authentication

From: <glassfish_at_javadesktop.org>
Date: Wed, 13 Feb 2008 00:46:09 PST

Thanks for reply.

My web.xml:

    <security-constraint>
        <display-name>Constraint1</display-name>
        <web-resource-collection>
            <web-resource-name>secure resource</web-resource-name>
            <description/>
            <url-pattern>/secure/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>HEAD</http-method>
            <http-method>PUT</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>authorized</role-name>
        </auth-constraint>
        <user-data-constraint>
            <description/>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <login-config>
        <auth-method>CLIENT-CERT</auth-method>
    </login-config>
    <security-role>
        <description/>
        <role-name>authorized</role-name>
    </security-role>

and piece of sun-web.xml:

    <security-role-mapping>
        <role-name>authorized</role-name>
        <group-name>authorized</group-name>
    </security-role-mapping>

where "authorized" is the group of certificate realm in glassfish.

I have enabled ssl debug in glassfish and these are last lines that might be of interest in glassfish log:

[#|2008-02-12T18:05:21.912+0200|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|
***|#]

[#|2008-02-12T18:05:21.912+0200|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|
httpSSLWorkerThread-8181-1, fatal error: 46: General SSLEngine problem
java.security.cert.CertificateException: Certificate contains unsupported critical extensions: [2.5.29.17]|#]

[#|2008-02-12T18:05:21.912+0200|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|
%% Invalidated: [Session-5, SSL_RSA_WITH_RC4_128_MD5]|#]

[#|2008-02-12T18:05:21.912+0200|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|
httpSSLWorkerThread-8181-1|#]

[#|2008-02-12T18:05:21.912+0200|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|, SEND TLSv1 ALERT: |#]

[#|2008-02-12T18:05:21.912+0200|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|fatal, |#]

[#|2008-02-12T18:05:21.912+0200|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|description = certificate_unknown|#]

[#|2008-02-12T18:05:21.912+0200|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|
httpSSLWorkerThread-8181-1, WRITE: TLSv1 Alert, length = 18|#]

[#|2008-02-12T18:05:21.912+0200|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|
httpSSLWorkerThread-8181-1, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: General SSLEngine problem|#]


It might be certificate problem - I tried to import CA certificate chain from http://info.e-me.lv/en/dokumenti/LPproductionchain2.p7b but got keytool exception, so I had to import all 3 certificates manually
[Message sent by forum member 'lmx' (lmx)]

http://forums.java.net/jive/thread.jspa?messageID=258664