users@glassfish.java.net

Calling getUserPrincipal() in a Web Service returns ANONYMOUS

From: <glassfish_at_javadesktop.org>
Date: Mon, 26 Jul 2010 09:52:29 PDT

Hello everyone I'm trying to use plain SSL between my web service and a client application. They are both running in GlassFish 2.1.1 and are each in seperate domains. The client application is itself web application and I have added the JVM option -Dcom.sun.enterprise.security.httpsOutboundKeyAlias=s1as in order to get it to send it's certificate to the Web Services.

I guess I should mention that I created a CA and created new private keys and certificates which were signed by the CA for both the WS and the Client. I add the private keys to their keystores using the same S1AS default name and the new signed certificates plus the CA certificate to their trust stores.

Here are the technical details. I am protecting the WS with the following rule in web.xml:

<security-constraint>
    <display-name>Constraint1</display-name>
    <web-resource-collection>
        <web-resource-name>Customer</web-resource-name>
        <description/>
        <url-pattern>/basecustomer*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>WSClient</role-name>
    </auth-constraint>
    <user-data-constraint>
        <description/>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>certificate</realm-name>
</login-config>
<security-role>
    <description/>
    <role-name>WSClient</role-name>
</security-role>

And the following in my sun-web.xml:
<security-role-mapping>
    <role-name>WSClient</role-name>
    <group-name>WSClient</group-name>
</security-role-mapping>

And finally in GlassFish under the Configuration -> Security -> Realms -> certificate I told it to Assign Group: WSClient

Adding a -Djavax.net.debug=ssl,handshake to the Web Service shows that they are exchanging their certificates and it establishes the connection and actually calls the Web Service, so I know it's working. The problem is that I need to do some things with the client certificate in the Web Service, but calling the getUserPrincipal method of the WebServiceContext that I declared earlier always returns ANONYMOUS.

[b]Why is it doing this and how can I get back what's in the certificate?[/b]
[Message sent by forum member 'hiro2k']

http://forums.java.net/jive/thread.jspa?messageID=478585