I understand that, to enforce SSL Client Authentication via Certificate,
there are two ways.
1. Enforcing the Client Authentication at the Http Listener Level.
2. Auth Mode Configuration in WEB.XML.
In my setup, there are multiple web apps which require SSL Server
Authentication, however only one app requires Client Authentication.
Now, with a single Http Listener, I had turned "Client Authentication" OFF
at the HTTP Listener level and configured the web.xml of the application
that requires Client Authentication with the following.
<security-constraint>
<web-resource-collection>
<web-resource-name>TEST</web-resource-name>
<description>test</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
<user-data-constraint>
<description>This web demands SSL</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<role-name>Admin</role-name>
</security-role>
But when accessing the URL, Server is not requesting for the Client
Certificate. Is this a bug?
However, when I enabled "Client Authentication" at the HTTP Listener level,
client auth is turned on across the board, irrespective the configuration in
Web.xml.
--
View this message in context: http://old.nabble.com/SSL-Client-Authentication-tp28340078p28340078.html
Sent from the java.net - glassfish users mailing list archive at Nabble.com.