Date: Wed, 31 Dec 2014 15:55:39 +0100
Thanks Martin for the reply.
Right, the declarative security unfortunately allows only one auth
method (similar to Tomcat) in web,xml. I want to use both "Basic and
Certificate" at the same time. I was thinking if I can create a custom
realm to embody both methods in one realm.
The attached image shows my login page. First category login with the
custom Basic realm (Yubikey user) and second one using certificate.
I think Tomact solves this issue by running two different domains at the
same time but I don't know how Glassfish support such usecase.
Best regards
Ali
On 2014-12-31 15:06, Martin Gainty wrote:
> declarative security allows 1 Authentication type per app so you will
> need 2 web applications one with web.xml of:
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>BASIC Realm</realm-name>
> </login-config>
>
> the other webapp your web.xml will be CERTIFICATE
> <login-config>
> <auth-method>CERTIFICATE</auth-method>
> <realm-name>CERTIFICATE Realm</realm-name>
> </login-config>
>
> Programmatic EJBSecurity allows twiddling Principal/Role information
> but on a Basic USERNAME_PASSWORD auth method realm
> read this:
>
> |auth-method|
> <http://docs.oracle.com/cd/E26576_01/doc.312/e24929/dd-elements.htm#beaqx>
> only one
> Specifies the authentication method. The only supported value is
> |USERNAME_PASSWORD|.
>
> at least for context based you can only have one auth-method allowed
>
> http://docs.oracle.com/cd/E26576_01/doc.312/e24929/dd-elements.htm
>
> also read this:
>
>
> Specifying an Authentication Mechanism and Secure Connection
>
> When method permissions are specified, basic user name/password
> authentication will be invoked by the GlassFish Server.
> To use a different type of authentication or to require a secure
> connection using SSL, specify this information in an application
> deployment descriptor...web.xml
>
>
>
> http://docs.oracle.com/javaee/6/tutorial/doc/bnbyl.html#bnbyu
>
>
> If I recall correctly Tomcat has the same limitations on one
> auth-method per webapp
> Martin Gainty
> ______________________________________________
>
>
>
> > Date: Wed, 31 Dec 2014 12:13:29 +0100
> > From: gholami_at_kth.se
> > To: users_at_glassfish.java.net
> > Subject: [gf-users] Custom realm using x509 certificates and DB
> realm in Glassfish 3.1.1
> >
> > Hi,
> >
> > I need a custom realm to authenticate two groups of users. One group is
> > authenticated using x509 certificate and another group using a custom
> > two-factor authentication DBRealm (username/one-time password). I
> wonder
> > if someone knows how to implement such custom realm for these two
> groups
> > in Glassfish 3.1.1.
> >
> > I was reading the custom realm documentation and it seems I should
> > implement a custom LoginModule (MyCustomLoginModule) that extends
> > AppservCertificateLoginModule and AppservPasswordLoginModule. But as
> you
> > know multiple inheritance is not allowed in Java and also both these
> > classes have authenticateUser() method in common:
> >
> > --------
> > @Override
> > protected void authenticateUser() throws LoginException {
> > }
> > --------
> >
> > My two-factor DB realm works fine for one group of users as I could
> > extend AppservPasswordLoginModule without any problem:
> >
> > --------
> > public class MyCustomLoginModule extends AppservPasswordLoginModule {
> > @Override
> > protected void authenticateUser() throws LoginException {
> > // my code
> > }
> > }
> > --------
> >
> > Now the issue is adding certificate authentication to the
> > MyCustomLoginModule to enable other group with certificates to be
> > authenticated. I should clarify users with certificates do not use
> > two-factor authentication. They will be only authenticated through
> their
> > personal x509 certificates protected with a password embedded in their
> > browsers.
> >
> > I would appreciate if someone could give me some hints to solve this
> > problem.
> >
> > Best regards
> > Ali
> >
> >
(image/png attachment: screeshot.png)