users@glassfish.java.net

Re: Question about custom realms and SSL certificate-based client auth

From: Paul <paul_at_nosphere.org>
Date: Mon, 5 May 2008 18:55:39 +0200

Hi Ron,

First, thanks a lot for answering me with such details.

Le Monday 05 May 2008 18:13:09 glassfish_at_javadesktop.org, vous avez écrit :
> I think your goals are as follows:
>
> 1. use ssl mutual auth to authenticate web services
> 2. inject some code to effect role mapping based on certificate identity
> 3. rely on the ejb container's pre-dispatch authorization checks and have
> the effects of 2 be applied in the access check
> 4. package the code that does 2, such that it is deployed with the app.
>
> if you want to achieve 3, then 2, will need to occur before you dispatch to
> your component.
Perfectly make sense.

> I (think) one way to do 2, assuming you are ok with using glassfish
> proprietrary and internal apis, might be to write an ejb pre-invoke
> interceptor, that gets the currrent security context, and that uses the
> transport layer id, and uses it to add corresponding group principals to
> the subject in the security context.This will only work if the interceptor
> will be invoked before the access check.
>
> another way to do 2, would be to configure a soap layer jsr 196 server auth
> module, and have your app configure it, and register it for use by the
> container on its (i.e., your apps behalf). your auth module would achieve
> the same effect as described above, but it would do so, by using the
> standard callbacks defined by 196.
>
> a third alternative would be to create a jacc policy provider that wraps
> the glassfish policy provider, and that adds principals during the policy
> decision, depending on the target of the access check.

To be more precise on my case study, I use the subjectDN of the client
certificate to retrieve authentication and authorization data from external
services and then cache them locally in a database.

So in a "security hook" I have to :
 * get a hand on the client certificate, at least its subjectX500Principal
 * call external services (soap & ldap)
 * use a local database through JPA (transaction issues ?)
 * inject Roles in the security context

From the three alternatives, the one that seduce me is the second one because
of the standard aspect of JSR 196.

I'll read the JSR spec PDF and browse the Javadoc tonite.

Do you know of a sort of "code sample" I could read or other readings that
could help me about all this ?

Best regards.

Paul