From: Ali Gholami <gholami_at_kth.se>
Date: Sun, 04 Jan 2015 16:31:05 +0100

Thanks William for your answer. I still don't know how to compose the
web.xml file. Let's say I have a custom realm that has two auth method:
-----
mtRealm {
com.spstudio.xxx.security.X509ClientCertificateLoginModule Sufficient;
com.spstudio.xxx.security.MyJdbcLoginModule Sufficient;
};

----
Here is my X509ClientCertificateLoginModule:
---
public class X509ClientCertificateLoginModule extends 
AppservCertificateLoginModule{
     /* taken from 
https://blogs.oracle.com/nasradu8/entry/extend_certificaterealm_with_loginmodule_glassfish*/
     @Override
     protected void authenticateUser() throws LoginException {
         String dname = getX500Principal().getName();
         StringTokenizer st = new StringTokenizer(dname, " \t\n\r\f,");
         while (st.hasMoreTokens()) {
             String next = st.nextToken();
             if (next.startsWith("OU=")) {
                 commitUserAuthentication(new String[]{getAppName() + 
":" + next.substring(3)});
                 return;
             }
         }
         throw new LoginException("No OU found.");
     }
}
---
When I set the web.xml as follow, the certificate authentication 
(X509ClientCertificateLoginModule) does not work but the 
MyJdbcLoginModule works fine:
----
<login-config>
         <auth-method>BASIC</auth-method>
         <realm-name>mtRealm</realm-name>
         <form-login-config>
<form-login-page>/index.xhtml</form-login-page>
<form-error-page>/error.xhtml</form-error-page>
         </form-login-config>
     </login-config>
----
Do you know what should be the value of <login-cofig>?
Best regards
Ali
On 2015-01-04 03:34, William wrote:
> you can define one customer domain, with multiple login modules.
> some configurations like this:
>
> In your <glassfish folder>/domains/domain1/config/login.conf file
>
> mtRealm {
> com.spstudio.xxx.security.XxxCookieLoginModule Sufficient;
> com.spstudio.xxx.security.XxxJdbcLoginModule Sufficient;
> };
>
> you can use ‘Sufficient’ keyword to indicate that user can login 
> success using any login module.
>
>
>> On Dec 31, 2014, at 10:55 PM, Ali Gholami <gholami_at_kth.se 
>> <mailto:gholami_at_kth.se>> wrote:
>>
>> Thanks Martin for the reply.
>>
>> Right, the declarative security unfortunately allows only one auth 
>> method (similar to Tomcat) in web,xml. I want to use both "Basic and 
>> Certificate"  at the same time. I was thinking if I can create a 
>> custom realm to embody both methods in one realm.
>>
>> The attached image shows my login page. First category login with the 
>> custom Basic realm (Yubikey user) and second one using certificate.
>>
>> I think Tomact solves this issue by running two different domains at 
>> the same time but I don't know how Glassfish support such usecase.
>>
>> Best regards
>> Ali
>>
>>
>> On 2014-12-31 15:06, Martin Gainty wrote:
>>> declarative security allows 1 Authentication type per app so you 
>>> will need 2 web applications one with web.xml of:
>>> <login-config>
>>>  <auth-method>BASIC</auth-method>
>>>  <realm-name>BASIC Realm</realm-name>
>>> </login-config>
>>>
>>> the other webapp your web.xml will be CERTIFICATE
>>> <login-config>
>>>  <auth-method>CERTIFICATE</auth-method>
>>>  <realm-name>CERTIFICATE Realm</realm-name>
>>> </login-config>
>>>
>>> Programmatic EJBSecurity allows twiddling Principal/Role information 
>>> but on a Basic USERNAME_PASSWORD auth method realm
>>> read this:
>>>
>>> |auth-method| 
>>> <http://docs.oracle.com/cd/E26576_01/doc.312/e24929/dd-elements.htm#beaqx>
>>> 	only one
>>> 	Specifies the authentication method. The only supported value 
>>> is|USERNAME_PASSWORD|.
>>>
>>> at least for context based you can only have one auth-method allowed
>>>
>>> http://docs.oracle.com/cd/E26576_01/doc.312/e24929/dd-elements.htm
>>>
>>> also read this:
>>>
>>>
>>>         Specifying an Authentication Mechanism and Secure Connection
>>>
>>> When method permissions are specified, basic user name/password 
>>> authentication will be invoked by the GlassFish Server.
>>> To use a different type of authentication or to require a secure 
>>> connection using SSL, specify this information in an application 
>>> deployment descriptor...web.xml
>>>
>>>
>>>
>>> http://docs.oracle.com/javaee/6/tutorial/doc/bnbyl.html#bnbyu
>>>
>>>
>>> If I recall correctly Tomcat has the same limitations on one 
>>> auth-method per webapp
>>> Martin Gainty
>>> ______________________________________________
>>>
>>>
>>>
>>> > Date: Wed, 31 Dec 2014 12:13:29 +0100
>>> > From:gholami_at_kth.se
>>> > To:users_at_glassfish.java.net
>>> > Subject: [gf-users] Custom realm using x509 certificates and DB 
>>> realm in Glassfish 3.1.1
>>> >
>>> > Hi,
>>> >
>>> > I need a custom realm to authenticate two groups of users. One 
>>> group is
>>> > authenticated using x509 certificate and another group using a custom
>>> > two-factor authentication DBRealm (username/one-time password). I 
>>> wonder
>>> > if someone knows how to implement such custom realm for these two 
>>> groups
>>> > in Glassfish 3.1.1.
>>> >
>>> > I was reading the custom realm documentation and it seems I should
>>> > implement a custom LoginModule (MyCustomLoginModule) that extends
>>> > AppservCertificateLoginModule and AppservPasswordLoginModule. But 
>>> as you
>>> > know multiple inheritance is not allowed in Java and also both these
>>> > classes have authenticateUser() method in common:
>>> >
>>> > --------
>>> > @Override
>>> > protected void authenticateUser() throws LoginException {
>>> > }
>>> > --------
>>> >
>>> > My two-factor DB realm works fine for one group of users as I could
>>> > extend AppservPasswordLoginModule without any problem:
>>> >
>>> > --------
>>> > public class MyCustomLoginModule extends AppservPasswordLoginModule {
>>> > @Override
>>> > protected void authenticateUser() throws LoginException {
>>> > // my code
>>> > }
>>> > }
>>> > --------
>>> >
>>> > Now the issue is adding certificate authentication to the
>>> > MyCustomLoginModule to enable other group with certificates to be
>>> > authenticated. I should clarify users with certificates do not use
>>> > two-factor authentication. They will be only authenticated through 
>>> their
>>> > personal x509 certificates protected with a password embedded in their
>>> > browsers.
>>> >
>>> > I would appreciate if someone could give me some hints to solve this
>>> > problem.
>>> >
>>> > Best regards
>>> > Ali
>>> >
>>> >
>>
>> *1*attachments
>>
>> screeshot.png(8K)
>>     download
>>     <http://preview.mail.163.com/xdownload?filename=screeshot.png&mid=1tbitwtzPVD%2BahWqWAAAsR&part=3&sign=929d0eb11b204e779ee29c6033096fbd&time=1420334528&uid=streetpoet%40163.com>preview
>>     <http://preview.mail.163.com/preview?mid=1tbitwtzPVD%2BahWqWAAAsR&part=3&sign=929d0eb11b204e779ee29c6033096fbd&time=1420334528&uid=streetpoet%40163.com>
>>
>> <screeshot.png>
>