users@glassfish.java.net

Question about custom realms and SSL certificate-based client auth

From: <glassfish_at_javadesktop.org>
Date: Fri, 02 May 2008 04:22:52 PDT

Hi all,

I need to build an enterprise app with custom autz. Auth is achieved via ssl client certificate.

This app is made of ejb webservices and I would like to use the java security annotations, like @RolesAllowed, on their operations.

I currently use the CertificateRealm mapped to a group name that I use in the META-INF/sun-ejb-jar.xml file with <transport-guarantee>CONFIDENTIAL</transport-guarantee>.

With this, my webservices methods are only accessible to ssl certificate authenticated clients.

Apart from this, I have custom business logic that retrieve roles based on the certificate info (subjet DN, cert serial and issuer DN). This custom logic is using JPA, LDAP and external WebServices to retrieve the roles.

Now I would like to bind this custom logic into GF so I can use container based autz. Is it possible ? Googling a lot, I was only able to find simple use cases like jdbcRealm or ldapRealm. And all of this needed to be installed/configured in the GF domain. Ideally I would like to package what is needed inside the app EAR so deployment remain easy.

Maybe I'm asking GF too much, but any solution or advice will be greatly appreciated. If I'm stuck to building custom autz handling, do you have any advice for doing it the EE way ?


Best regards

Paul
[Message sent by forum member 'eskatos' (eskatos)]

http://forums.java.net/jive/thread.jspa?messageID=272507