users@glassfish.java.net

Re: How to use LdapGroups with auth-method=CLIENT-CERT / realm-name=certifi

From: <glassfish_at_javadesktop.org>
Date: Wed, 14 May 2008 12:54:31 PDT

> Hi,
 
> [b]Q1: How can LDAP groups be mapped to the user if
> using certificates?[/b]
>
> Q2: Is there any sense not to bundle
> auth-method=CLIENT-CERT with realm-name=certificate?
> Q3: Can auth-method=CLIENT-CERT at all be combined
> with e.g. realm-name=ldapRealm (to achieve Q1
> maybe)?
>
>
> best regards

this sounds like something worth trying.

I think you would need to replace the implementation of the realm configured as the certificate realm, with one that implements the group lookup functionality you are looking for.

doX500Login of LoginCOntextDriver is implemented so that it looks for the "certificate" realm, or otherwise, you could associate another realm with your app.

do you think you have enough info to try to develop a custom realm to do what you are trying to do?

I think it would be interesting, if the cert realm could be extended such that it could be combined with a login module, to do the group lookup, but I am not sure how to do that, as I think authenticate would need to called on the login module, and for that to succede, a username and password would typically be requried.

As such, I think you would have to extend the getGroupNames method of the CerificateRealm to perform the group lookup functionality done by findAndBind of the LDAPRealm; that is without requiring an authentication.

Ron
[Message sent by forum member 'monzillo' (monzillo)]

http://forums.java.net/jive/thread.jspa?messageID=274381