Paul wrote:
> Hi Ron,
>
> Thanks a lot for your clarification.
>
> I will explain my need and the state of my auth/authz more precisely so you
> could have some tips for me.
>
> I need a ServerAuthModule on the SOAP layer. Here EJB WebServices are
> protected with SSL with client cert auth. I would like to get a handle on the
> client certificate in the SAM to perform autorization (and inject roles)
> based on the cert's subject DN.
I haven't tried this myself, but you should be able to configure SSL
CLient CERT in the web tier (without configuring an HttpServlet layer
SAM), while also configuring a SOAP layer SAM to add additional
principals, and you could perform authorization within the SOAP layer
SAM; while recognizing that the EJB container will enforce any role
based policy you may have defined on the EJB endpoint.
>
> I need another ServerAuthModule on the httpServlet layer. Here URLs (servlets,
> jsps, simple files) are protected with SSL with client cert auth. In this
> case I would like to gather the client cert's subject DN too.
>
> Is it feasible ?
>
I am not sure how to configure CLIENT_CERT auth as a web.xml mechanism,
and to also configure an HttpServlet layer SAM. At this point Glassfish
only supports one or the other. I'm looking into ways to make this possible.
>
>>It may be possible to have the SAM initiate the client certificate
>>exchange by requesting the attribute, but then the SAM will have to take
>>special steps to perform the username password authentication against a
>>realm other than the certificate realm.
>
>
> Actually I just assigned a group name to the Certificate REALM and I use this
> group name to secure URLs (sun-web.xml) and EJB WebServices (sun-ejb-jar.xml)
> then in my SAM I inject a principal name and roles specifics to my auth/autz.
>
> In the case you describe, are the "special steps" a SAM would have to perform,
> to put the principal/role in context after ssl auth (replacing the
> Certificate REALM) ?
>
If the SAM intends to use the PasswordValidationCallback, then the SAM
would need a way to cause the realm in which the validation is performed
to be different formthe certificate realm...or maybe we need to chage
the way the glasfish CBH is initialized, when the application realm does
not support password validation.
Ron
> Best regards
>
> Paul
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>