users@glassfish.java.net

Re: Optional client cert authentication / fallback to basic

From: Mo Maison <momaison_at_yahoo.fr>
Date: Sun, 03 Feb 2013 10:50:32 +0100

Hello,

I didn't managed to make it work. After some researchs though,
I am not sure that this authentication method fallback is achievable
with Glassfish : I managed to request client certificate by calling
request.getAttribute("org.apache.coyote.request.X509Certificate"),
however if client does not have any, then ssl connection is broken.
Thus no chance to negotiate http basic authentication after that.

I managed anyway to find a kind of workaround thanks to the
links below.
Thank you for your advices !

Regards,

  M. Maison


Le 28/01/2013 07:04, KumarJayanti a écrit :
> If you wish to do that then you will need to write a JSR 196 SAM and
> plug it in with your.
>
> http://docs.oracle.com/cd/E18930_01/html/821-2435/gkkyv.html
>
> https://blogs.oracle.com/monzillo/entry/pluggable_authentication_in_the_glassfish
>
> On Jan 28, 2013, at 12:18 AM, Mo Maison wrote:
>
>>
>> Hello glassfish users,
>>
>> I would like to use the same URL with two methods
>> of authentication : client certificate, and if none is supplied
>> then basic http.
>> However, this seems impossible to do since if the URL
>> is defined as CLIENT_CERT, then if client does not supply
>> its certificate, request process is aborted by glassfish
>> before it reaches application code (where a filter could
>> handle basic authentication).
>>
>> I am aware of the following optional certificate feature
>> http://java.net/jira/browse/GLASSFISH-6935
>> and thought it would solve my problem.
>> However the main drawback is that this is defined on the
>> connector itself, and is thus common to all URLs : on the
>> client side, it triggers a certificate choice popup (or password
>> credentials on java webstarts) even on unauthenticated
>> URLs. This is not an option.
>>
>> Would it be possible to do a per-url optional certificate,
>> may be by defining several login methods in web.xml or so.
>> Any advice on this topic will be appreciated, even if this is
>> glassfish/grizzly specific.
>>
>> I have also considered JSR-196, but could not figure out
>> if this may solve my problem or not.
>> I use GF 3.1.2.2
>>
>> Regards,
>>
>> M .Maison
>