Hi Ron,
Thanks a lot for your clarification.
I will explain my need and the state of my auth/authz more precisely so you
could have some tips for me.
I need a ServerAuthModule on the SOAP layer. Here EJB WebServices are
protected with SSL with client cert auth. I would like to get a handle on the
client certificate in the SAM to perform autorization (and inject roles)
based on the cert's subject DN.
I need another ServerAuthModule on the httpServlet layer. Here URLs (servlets,
jsps, simple files) are protected with SSL with client cert auth. In this
case I would like to gather the client cert's subject DN too.
Is it feasible ?
> It may be possible to have the SAM initiate the client certificate
> exchange by requesting the attribute, but then the SAM will have to take
> special steps to perform the username password authentication against a
> realm other than the certificate realm.
Actually I just assigned a group name to the Certificate REALM and I use this
group name to secure URLs (sun-web.xml) and EJB WebServices (sun-ejb-jar.xml)
then in my SAM I inject a principal name and roles specifics to my auth/autz.
In the case you describe, are the "special steps" a SAM would have to perform,
to put the principal/role in context after ssl auth (replacing the
Certificate REALM) ?
Best regards
Paul