declarative security allows 1 Authentication type per app so you will need 2 web applications one with web.xml of:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>BASIC Realm</realm-name>
</login-config>
the other webapp your web.xml will be CERTIFICATE
<login-config>
<auth-method>CERTIFICATE</auth-method>
<realm-name>CERTIFICATE Realm</realm-name>
</login-config>
Programmatic EJBSecurity allows twiddling Principal/Role information but on a Basic USERNAME_PASSWORD auth method realm
read this:
auth-method
only one
Specifies the authentication method. The only supported value is USERNAME_PASSWORD.
at least for context based you can only have one auth-method allowed
http://docs.oracle.com/cd/E26576_01/doc.312/e24929/dd-elements.htm
also read this:
Specifying an Authentication Mechanism and Secure Connection
When method permissions are specified, basic user name/password authentication will be invoked by
the GlassFish Server.
To use a different type of authentication or to require a secure
connection using SSL, specify this information in an application deployment descriptor...web.xml
http://docs.oracle.com/javaee/6/tutorial/doc/bnbyl.html#bnbyu
If I recall correctly Tomcat has the same limitations on one auth-method per webapp
Martin Gainty
______________________________________________
> Date: Wed, 31 Dec 2014 12:13:29 +0100
> From: gholami_at_kth.se
> To: users_at_glassfish.java.net
> Subject: [gf-users] Custom realm using x509 certificates and DB realm in Glassfish 3.1.1
>
> Hi,
>
> I need a custom realm to authenticate two groups of users. One group is
> authenticated using x509 certificate and another group using a custom
> two-factor authentication DBRealm (username/one-time password). I wonder
> if someone knows how to implement such custom realm for these two groups
> in Glassfish 3.1.1.
>
> I was reading the custom realm documentation and it seems I should
> implement a custom LoginModule (MyCustomLoginModule) that extends
> AppservCertificateLoginModule and AppservPasswordLoginModule. But as you
> know multiple inheritance is not allowed in Java and also both these
> classes have authenticateUser() method in common:
>
> --------
> @Override
> protected void authenticateUser() throws LoginException {
> }
> --------
>
> My two-factor DB realm works fine for one group of users as I could
> extend AppservPasswordLoginModule without any problem:
>
> --------
> public class MyCustomLoginModule extends AppservPasswordLoginModule {
> @Override
> protected void authenticateUser() throws LoginException {
> // my code
> }
> }
> --------
>
> Now the issue is adding certificate authentication to the
> MyCustomLoginModule to enable other group with certificates to be
> authenticated. I should clarify users with certificates do not use
> two-factor authentication. They will be only authenticated through their
> personal x509 certificates protected with a password embedded in their
> browsers.
>
> I would appreciate if someone could give me some hints to solve this
> problem.
>
> Best regards
> Ali
>
>