users@glassfish.java.net

Re: Question about custom realms and SSL certificate-based client auth

From: <glassfish_at_javadesktop.org>
Date: Tue, 06 May 2008 08:09:05 PDT

BTW, you might find it feasible to define an HttpServlet layer SAM (instead of a SOAP layer SAM). Your most recent question about invoking ejbs for within the sam might change this, ... but

when you configure the Glassfish servlet container to invoke a SAM (at the httpServlet layer) then it will invoke no longer invoke the authenticate method of the authenticator valve (in this case the SSLAuthenticator valve) The underlying connector (i.e., Coyote or Grizzley) will force the ssl handshake and will set the certificate attribute in the HttpServletRequest, and then your SAM will be invoked.

Within your SAM, you would need to pupulate the clientSubject with a certificate derived identity (which would otherwize be done by the SSLAuthenticator) and with whatever additional principals you decide are applicable.

you also asked.

> That leads me to another question : is it possible to
> inject @EJBs in a SAM.
> If not I'll do good'ol jndi lookups.
>

not sure about all the ramifications of doing this, but you should give it a try.

Ron
[Message sent by forum member 'monzillo' (monzillo)]

http://forums.java.net/jive/thread.jspa?messageID=272971