you can define one customer domain, with multiple login modules.
some configurations like this:
In your <glassfish folder>/domains/domain1/config/login.conf file
mtRealm {
com.spstudio.xxx.security.XxxCookieLoginModule Sufficient;
com.spstudio.xxx.security.XxxJdbcLoginModule Sufficient;
};
you can use ‘Sufficient’ keyword to indicate that user can login success using any login module.
> On Dec 31, 2014, at 10:55 PM, Ali Gholami <gholami_at_kth.se> wrote:
>
> Thanks Martin for the reply.
>
> Right, the declarative security unfortunately allows only one auth method (similar to Tomcat) in web,xml. I want to use both "Basic and Certificate" at the same time. I was thinking if I can create a custom realm to embody both methods in one realm.
>
> The attached image shows my login page. First category login with the custom Basic realm (Yubikey user) and second one using certificate.
>
> I think Tomact solves this issue by running two different domains at the same time but I don't know how Glassfish support such usecase.
>
> Best regards
> Ali
>
>
> On 2014-12-31 15:06, Martin Gainty wrote:
>> declarative security allows 1 Authentication type per app so you will need 2 web applications one with web.xml of:
>> <login-config>
>> <auth-method>BASIC</auth-method>
>> <realm-name>BASIC Realm</realm-name>
>> </login-config>
>>
>> the other webapp your web.xml will be CERTIFICATE
>> <login-config>
>> <auth-method>CERTIFICATE</auth-method>
>> <realm-name>CERTIFICATE Realm</realm-name>
>> </login-config>
>>
>> Programmatic EJBSecurity allows twiddling Principal/Role information but on a Basic USERNAME_PASSWORD auth method realm
>> read this:
>>
>> auth-method <http://docs.oracle.com/cd/E26576_01/doc.312/e24929/dd-elements.htm#beaqx>
>> only one
>> Specifies the authentication method. The only supported value is USERNAME_PASSWORD.
>> at least for context based you can only have one auth-method allowed
>>
>> http://docs.oracle.com/cd/E26576_01/doc.312/e24929/dd-elements.htm <http://docs.oracle.com/cd/E26576_01/doc.312/e24929/dd-elements.htm>
>>
>> also read this:
>> Specifying an Authentication Mechanism and Secure Connection
>>
>> <> <>When method permissions are specified, basic user name/password authentication will be invoked by the GlassFish Server.
>> To use a different type of authentication or to require a secure connection using SSL, specify this information in an application deployment descriptor...web.xml
>>
>>
>>
>> http://docs.oracle.com/javaee/6/tutorial/doc/bnbyl.html#bnbyu <http://docs.oracle.com/javaee/6/tutorial/doc/bnbyl.html#bnbyu>
>>
>>
>> If I recall correctly Tomcat has the same limitations on one auth-method per webapp
>> Martin Gainty
>> ______________________________________________
>>
>>
>>
>> > Date: Wed, 31 Dec 2014 12:13:29 +0100
>> > From: gholami_at_kth.se <mailto:gholami_at_kth.se>
>> > To: users_at_glassfish.java.net <mailto:users_at_glassfish.java.net>
>> > Subject: [gf-users] Custom realm using x509 certificates and DB realm in Glassfish 3.1.1
>> >
>> > Hi,
>> >
>> > I need a custom realm to authenticate two groups of users. One group is
>> > authenticated using x509 certificate and another group using a custom
>> > two-factor authentication DBRealm (username/one-time password). I wonder
>> > if someone knows how to implement such custom realm for these two groups
>> > in Glassfish 3.1.1.
>> >
>> > I was reading the custom realm documentation and it seems I should
>> > implement a custom LoginModule (MyCustomLoginModule) that extends
>> > AppservCertificateLoginModule and AppservPasswordLoginModule. But as you
>> > know multiple inheritance is not allowed in Java and also both these
>> > classes have authenticateUser() method in common:
>> >
>> > --------
>> > @Override
>> > protected void authenticateUser() throws LoginException {
>> > }
>> > --------
>> >
>> > My two-factor DB realm works fine for one group of users as I could
>> > extend AppservPasswordLoginModule without any problem:
>> >
>> > --------
>> > public class MyCustomLoginModule extends AppservPasswordLoginModule {
>> > @Override
>> > protected void authenticateUser() throws LoginException {
>> > // my code
>> > }
>> > }
>> > --------
>> >
>> > Now the issue is adding certificate authentication to the
>> > MyCustomLoginModule to enable other group with certificates to be
>> > authenticated. I should clarify users with certificates do not use
>> > two-factor authentication. They will be only authenticated through their
>> > personal x509 certificates protected with a password embedded in their
>> > browsers.
>> >
>> > I would appreciate if someone could give me some hints to solve this
>> > problem.
>> >
>> > Best regards
>> > Ali
>> >
>> >
>
> 1 attachments
> screeshot.png(8K)
> download <http://preview.mail.163.com/xdownload?filename=screeshot.png&mid=1tbitwtzPVD%2BahWqWAAAsR&part=3&sign=929d0eb11b204e779ee29c6033096fbd&time=1420334528&uid=streetpoet%40163.com> preview <http://preview.mail.163.com/preview?mid=1tbitwtzPVD%2BahWqWAAAsR&part=3&sign=929d0eb11b204e779ee29c6033096fbd&time=1420334528&uid=streetpoet%40163.com><screeshot.png>
