users@glassfish.java.net

Using certificate authentication and _at_RolesAllowed

From: <glassfish_at_javadesktop.org>
Date: Tue, 03 Nov 2009 09:02:14 PST

Hi,

I have the following problem:
to provide a WebService I've annotated an EJB with @WebService, and also want to use the annotation @RolesAllowed (at the latest, on EJBs which are called by this WebService). Until now I've used authentication by username/password, using an own realm and an own LoginModule, extending the AppservPasswordLoginModule. Within this LoginModule, the user is mapped to some roles read from the database. So far, everything is fine.

But now I want to use authentication via X509 certificates. And here I also want to add some roles to the user, to pass the @RolesAllowed annotation.

* Without defining anything (only using Server/ClientProvider in MessageSecurityConfiguration for SOAP in glassfish) the certificate was validated correctly and the WebserviceContext contains this certificate. But I need a possibility to add some roles.

* My idea was to use the CertificateRealm and write an own LoginModule for it.
** I tried to use the CertificateRealm, but I didn't get it working. In my sun-ejb-jar.xml I've defined:
    <ejb>
      <ejb-name>WsAccessBean</ejb-name>
      <webservice-endpoint>
        <port-component-name>WsAccessBean</port-component-name>
        <login-config>
          <auth-method>CLIENT-CERT</auth-method>
          <realm>certificate</realm>
        </login-config>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </webservice-endpoint>
    </ejb>

But I got the error "Invalid request scheme for Endpoint WsAccessFacadeBean. Expected https . Received http" on the server.log. I'm calling the WebService with soapUI, perhaps there's something wrong with my client side configuration. Is this the correct usage of the certificate realm?

** (How) Is it possible to write an own LoginModule for the CertificateRealm? I didn't find a class to be extended for that case (according to the AppservPasswordLoginModule).

* Is there another way I didn't see here to realize authentication with certificates adding roles to the user?

Thanks for help.
[Message sent by forum member 'freddydaking' (weishaeupl_at_gmail.com)]

http://forums.java.net/jive/thread.jspa?messageID=370353
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.