users@glassfish.java.net

Re: how we can determine groups and role mapping when we are using Client-Cert?

From: Kumar Jayanti <Vbkumar.Jayanti_at_Sun.COM>
Date: Wed, 05 Aug 2009 18:10:49 +0530

Sarah kho wrote:
> Thank you for reply.
> Assume that I have an application which multiple roles are required to
> be defined. some URLs are available for role1 and some for role2.
> I also need client-cert authentication in place. is it posible to have
> authorization and use client-cert authentication method?
As suggested by monzillo in the other thread

http://forums.java.net/jive/thread.jspa?messageID=358963

try implementing a Custom CertificateRealm of your own, remove the
original glassfish certificaterealm from domain configuration and
instead register your certificate realm with name "certificate".

thanks.

> Thanks.
> I am looking to know how we can use client-cert authentication method
> for authorization purposes. assume I have some urls only available for
> managers and not for employees.
>
> On Fri, Jul 31, 2009 at 4:15 AM, Martin Gainty <mgainty_at_hotmail.com
> <mailto:mgainty_at_hotmail.com>> wrote:
>
> ./config/domain.xml jacc-provider group-node contains no group
> attribute or group node
>
> keytool contains no group attribute
>
> could you describe what group would be used for?
>
> Martin Gainty
> ______________________________________________
> Verzicht und Vertraulichkeitanmerkung/Note de déni et de
> confidentialité
>
> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
> Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede
> unbefugte Weiterleitung oder Fertigung einer Kopie ist
> unzulaessig. Diese Nachricht dient lediglich dem Austausch von
> Informationen und entfaltet keine rechtliche Bindungswirkung.
> Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir
> keine Haftung fuer den Inhalt uebernehmen.
>
> Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
>
>
>
>
>
>
> ------------------------------------------------------------------------
> Date: Fri, 31 Jul 2009 03:38:45 +0430
> From: sarah.kho_at_gmail.com <mailto:sarah.kho_at_gmail.com>
> To: users_at_glassfish.dev.java.net <mailto:users_at_glassfish.dev.java.net>
> Subject: Re: how we can determine groups and role mapping when we
> are using Client-Cert?
>
>
> Hi,
> Any comment is welcome.
> I am just looking to know how we can determine the group
> information when we use client-cert for authentication in a web
> application.
> Thanks.
>
> On Thu, Jul 30, 2009 at 3:09 PM, Sarah kho <sarah.kho_at_gmail.com>
> wrote:
>
> Hi,
> When we use Client-cert authentication clients should provide
> digital certificates verifyable by server to be able to
> connect to the server.
> I am wondering how we can determine roles and groups when we
> use client-cert type.
> does clients digital certificates has some attribute showing
> which groups they belong?
> Thanks
>
>
>
> ------------------------------------------------------------------------
> Windows Live™ Hotmail®: Search, add, and share the web’s latest
> sports videos. Check it out.
> <http://www.windowslive.com/Online/Hotmail/Campaign/QuickAdd?ocid=TXT_TAGLM_WL_QA_HM_sports_videos_072009&cat=sports>
>
>