From: Andreas Junius <andreas.junius_at_gmail.com>
Date: Thu, 09 Oct 2014 18:00:06 +1030

Hi All,

This is my first post on the list, I just joined it. I do have trouble
to get an application using the certificate realm working.

That's what I have so far:

-I fresh install (from zip-file) of Glassfish 3.1.2.2, Glassfish 4.0 and
Glassfish 4.1
  (using the default self-signed certificate)
-A group name added to the certificate realm via the web console (only
one name to rule out problems with multiple names)
-A web application that asks for a client-certificate using that group
name and role.
-A web.xml file and
-A glassfish-web.xml (below)

This application used to work (it's just a test project that returns
hard-coded values) on Glassfish 4.0. I wasn't able to get it to run on
Glassfish 4.1 or GF 3.1. So I installed a number of Glassfish instances
from scratch to isolate the problem. The application isn't working on
any of these instances now, even GF 4.0. The issue is, that the server
doesn't return any content at all and it does not ask for a client
certificate. I do have client certificates installed in Firefox (there
is a bug in Firefox, it does not ask the user for a cert unless it has
at least one in its certificate store). Firefox just says: "The
connection was reset", and Google Chrome says "No data received". The
Glassfish logs don't contain any entries; that's what makes it so hard
for me to track down the issue.

My question therefore: what can I do to enable detailed logging for a
certificate realm?
and
What is wrong with my set-up? Did I forget something important? Is there
a detailed how-to somewhere on the net?


Cheers,
Andreas





          
        web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns="http://java.sun.com/xml/ns/javaee"
        xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
        id="WebApp_ID" version="3.0">
        <display-name>Test REST Server</display-name>

        <!-- execution order of filters defined via annotation -->
        <filter-mapping>
                <filter-name>HeaderFilter</filter-name>
                <url-pattern />
        </filter-mapping>
        <filter-mapping>
                <filter-name>ClientCertificateFilter</filter-name>
                <url-pattern />
        </filter-mapping>
        <filter-mapping>
                <filter-name>BasicAuthFilter</filter-name>
                <url-pattern />
        </filter-mapping>
        <filter-mapping>
                <filter-name>CryptographyFilter</filter-name>
                <url-pattern />
        </filter-mapping>

        <!-- order -->
        <absolute-ordering>
                <name>HeaderFilter</name>
                <name>ClientCertificateFilter</name>
                <name>BasicAuthFilter</name>
                <name>CryptographyFilter</name>
        </absolute-ordering>

        <!-- use secure session cookie flag -->
        <session-config>
                <cookie-config>
                        <http-only>true</http-only>
                        <secure>true</secure>
                </cookie-config>
        </session-config>

        <!-- security role -->
        <security-role>
                <role-name>users</role-name>
        </security-role>

        <!-- certificate realm -->
        <login-config>
                <auth-method>CLIENT-CERT</auth-method>
                <realm-name>certificate</realm-name>
        </login-config>

        <!-- enforce ssl on all endpoints -->
        <security-constraint>
                <web-resource-collection>
                        <web-resource-name>Anonymous</web-resource-name>
                        <url-pattern>/os/*</url-pattern>
                        <url-pattern>/osba/*</url-pattern>
                </web-resource-collection>
                <user-data-constraint>
                        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
                </user-data-constraint>
        </security-constraint>

        <!-- enforce ssl and mutual authentication on all endpoints using this
constraint -->
        <security-constraint>
                <web-resource-collection>
                        <web-resource-name>Authenticated</web-resource-name>
                        <url-pattern>/mutual/*</url-pattern>
                        <url-pattern>/mutualba/*</url-pattern>
                </web-resource-collection>
                <!-- role that get mapped with the user group -->
                <auth-constraint>
                        <role-name>users</role-name>
                </auth-constraint>
                <user-data-constraint>
                        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
                </user-data-constraint>
        </security-constraint>

</web-app>


and a glassfish-web.xml that looks like this:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish
Application Server 3.1 Servlet 3.0//EN"
"http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app>
        <context-root>/test</context-root>
        <!-- map the role with users and/or user groups -->
        <security-role-mapping>
                <role-name>users</role-name>
                <group-name>users</group-name>
        </security-role-mapping>
</glassfish-web-app>