I am not sure exactly how you intend to do a secondary authentication above the ssl handshake, and that client cert based authentication is generally considered a much stronger form of authentication than a password based mechanism. It sounds like you are basically seeking to require a second factor in addition to being able to use the keys available to the browser.
in the ssl handshake, the client is presented with the list of trust roots that are acceptable to the server. One way to cause the effect you desire would be to remove all but the one trust root that you are willing to accept from the glassfish truststore, which would cause only the one trust root to be presented to the client. I don't think self-signed certs are compatible with this strategy, since you would in effect have to include every client cert in the glassfish trust-store.
Moreover, I would expect that remove the various traditional trust roots would have adverse consequences on other security systems within glassfish; that rely on the other trusts roots.
You may be able to do what you want by integrating a custom trustmanager in glassfish, but I'll leave that to others to describe if that is feasible, and how it might be done.
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=302514