Paul wrote:
> Anybody knows if a ServerAuthModule is executed before SSL attributes are put
> in the HttpRequest object ?
>
> Paul
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
The SAM will be executed first, and the CLIENT-CERT Valve will not be
executed because the SAM is integrated in an either/or manner wrt to the
SSL valve that would normally populate the attributes.
Normally the Glassfish SSLAuthenticator Valve initiates the client
certificate exchange (when authentication is required) as a side effect
of fetching the attribute.
It may be possible to have the SAM initiate the client certificate
exchange by requesting the attribute, but then the SAM will have to take
special steps to perform the username password authentication against a
realm other than the certificate realm.
Depending on how important this double authentication use case is,
perhaps I'll have to describe how this is done in servlet profile of jsr
196. Generally speaking jsr 196 relies on the encompassing runtime to
deal will setting up the connection; with the presumption being that it
could read any ssl attributes established by the runtime.
one way around this, within Glassfish could be to support the
configuration of a SAM in addition to login-method in web.xml, at least
for the case when CLIENT_CERT is specified in web.xml.
J2EE did not standardize the details of how a container causes SSL
client authentication to occur, providing a way for SAM's to cause this
effect would another approach.
Ron