users@glassfish.java.net

Re: How to optionally request a client certificate?

From: Kumar.Jayanti <Vbkumar.Jayanti_at_Sun.COM>
Date: Mon, 21 Feb 2011 08:53:31 +0530

On 19/02/11 5:32 AM, Michael Schmidt wrote:
> How can I optionally request client certificate authentication - i.e., enable clients to show their certificate if they have one, and still proceed if they don't have a client certificate installed?
>
> The Blog [1] reads to add a property to http-listener element in domain.xml:
> <property name="com.sun.grizzly.ssl.auth" value="want"/>
>
> However, the existing browser client certificate is not requested. The GlassFish server is properly set up, i.e., requires client certificates with the option "client-auth-enabled" set to true.
>
> A different version described at [2] doesn't work either.
>
> Any ideas on this?
The Protocol elements ssl child should have the client-auth attribute
set to "want".

Example :

<protocol security-enabled="true" name="sec-admin-listener">
<http default-virtual-server="__asadmin" encoded-slash-enabled="true">
<file-cache></file-cache>
</http>
<ssl client-auth="want" ssl3-enabled="false"
classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl"
cert-nickname="s1as"></ssl>
</protocol>

regards,
kumar
> Best,
> Michael
>
> [1] http://blogs.sun.com/kalpana/entry/client_auth_requested_in_glassfish
> [2] http:// java.net/jira/browse/GLASSFISH-6935