Le 03/02/2013 11:03, KumarJayanti a écrit :
> On Feb 3, 2013, at 3:20 PM, Mo Maison wrote:
>
>> Hello,
>>
>> I didn't managed to make it work. After some researchs though,
>> I am not sure that this authentication method fallback is achievable
>> with Glassfish : I managed to request client certificate by calling
>> request.getAttribute("org.apache.coyote.request.X509Certificate"),
>> however if client does not have any, then ssl connection is broken.
>> Thus no chance to negotiate http basic authentication after that.
>>
>> I managed anyway to find a kind of workaround thanks to the
>> links below.
> What is the workaround, i am curios.
>
It is a workaround for the initial problem of being able
to authenticate with a certificate OR a login/pw.
I gave up about using the same URL, so I duplicated them.
Basically, I have setup a tiny war with /x509 context, which
requests a client cert for any path, and internally forwards
request to the URL path following /x509 (this targets
the original application war).
Thus a client with login/pw will use the usual URL /xxx/yyy
whereas a client with certificate will use URL /x509/xxx/yyy
Authentication type is not transparent (and I can not imagine
a way for automatic redirects ; maybe by requiring preemptive
basic authentication for clients, and asking for a client cert
if no Authorization: header is found ?) ; ideas are welcome.
Also for a web site this may require some url rewriting.
M. Maison