users@glassfish.java.net

Re: Optional client cert authentication / fallback to basic

From: KumarJayanti <v.b.kumar.jayanti_at_oracle.com>
Date: Sun, 3 Feb 2013 15:33:21 +0530

On Feb 3, 2013, at 3:20 PM, Mo Maison wrote:

>
> Hello,
>
> I didn't managed to make it work. After some researchs though,
> I am not sure that this authentication method fallback is achievable
> with Glassfish : I managed to request client certificate by calling
> request.getAttribute("org.apache.coyote.request.X509Certificate"),
> however if client does not have any, then ssl connection is broken.
> Thus no chance to negotiate http basic authentication after that.
>
> I managed anyway to find a kind of workaround thanks to the
> links below.
What is the workaround, i am curios.
> Thank you for your advices !
>
> Regards,
>
> M. Maison
>
>
> Le 28/01/2013 07:04, KumarJayanti a écrit :
>> If you wish to do that then you will need to write a JSR 196 SAM and plug it in with your.
>>
>> http://docs.oracle.com/cd/E18930_01/html/821-2435/gkkyv.html
>>
>> https://blogs.oracle.com/monzillo/entry/pluggable_authentication_in_the_glassfish
>>
>> On Jan 28, 2013, at 12:18 AM, Mo Maison wrote:
>>
>>>
>>> Hello glassfish users,
>>>
>>> I would like to use the same URL with two methods
>>> of authentication : client certificate, and if none is supplied
>>> then basic http.
>>> However, this seems impossible to do since if the URL
>>> is defined as CLIENT_CERT, then if client does not supply
>>> its certificate, request process is aborted by glassfish
>>> before it reaches application code (where a filter could
>>> handle basic authentication).
>>>
>>> I am aware of the following optional certificate feature
>>> http://java.net/jira/browse/GLASSFISH-6935
>>> and thought it would solve my problem.
>>> However the main drawback is that this is defined on the
>>> connector itself, and is thus common to all URLs : on the
>>> client side, it triggers a certificate choice popup (or password
>>> credentials on java webstarts) even on unauthenticated
>>> URLs. This is not an option.
>>>
>>> Would it be possible to do a per-url optional certificate,
>>> may be by defining several login methods in web.xml or so.
>>> Any advice on this topic will be appreciated, even if this is
>>> glassfish/grizzly specific.
>>>
>>> I have also considered JSR-196, but could not figure out
>>> if this may solve my problem or not.
>>> I use GF 3.1.2.2
>>>
>>> Regards,
>>>
>>> M .Maison
>>