Thanks for the reply Kumar. Sorry for the late reply. Being new to GF I was trying to understand this.
To answer your question: On tomcat we currently use, auth-method=client-cert and realm is tomcat's jdbc realm. User information is extracted from cert. Then jdbc call fetch roles for the same user.
But to achieve the same, it seems I need to extend CertificateRealm and override the authenticate method. But interestingly, CertificateRealm is declared as FINAL class. Now I can't even extend the class. Any reasons for this? It is pretty disappointing.
We can't even create custom realm, duplicating the CertificateRealm functionality and adding to that jdbc features. That is because, doX500Login method in LoginContextDriver class checks to make sure it is instance of CertificateRealm before calling the authenticate method.
I am surprised by this half baked security features in glassfish!!
Only way is to edit CertificateRealm, compile it and replace it in the original jar. I hate this approach.
Thanks again Kumar.
[Message sent by forum member 'ntonne' (ntonne)]
http://forums.java.net/jive/thread.jspa?messageID=288850