I’m afraid there is no way to do that, i’m sorry.
After I read the doc ‘application-development-guide.pdf’, I found it writes
it can properly fit my requirement, but not yours :(
Maybe glassfish only support limit extension of its security.
> On Jan 4, 2015, at 11:31 PM, Ali Gholami <gholami_at_kth.se> wrote:
>
> Thanks William for your answer. I still don't know how to compose the web.xml file. Let's say I have a custom realm that has two auth method:
> -----
> mtRealm {
> com.spstudio.xxx.security.X509ClientCertificateLoginModule Sufficient;
> com.spstudio.xxx.security.MyJdbcLoginModule Sufficient;
> };
> ----
>
> Here is my X509ClientCertificateLoginModule:
>
> ---
> public class X509ClientCertificateLoginModule extends AppservCertificateLoginModule{
>
> /* taken from https://blogs.oracle.com/nasradu8/entry/extend_certificaterealm_with_loginmodule_glassfish*/ <https://blogs.oracle.com/nasradu8/entry/extend_certificaterealm_with_loginmodule_glassfish*/>
> @Override
> protected void authenticateUser() throws LoginException {
> String dname = getX500Principal().getName();
> StringTokenizer st = new StringTokenizer(dname, " \t\n\r\f,");
> while (st.hasMoreTokens()) {
> String next = st.nextToken();
> if (next.startsWith("OU=")) {
> commitUserAuthentication(new String[]{getAppName() + ":" + next.substring(3)});
> return;
> }
> }
> throw new LoginException("No OU found.");
> }
>
> }
> ---
>
>
> When I set the web.xml as follow, the certificate authentication (X509ClientCertificateLoginModule) does not work but the MyJdbcLoginModule works fine:
>
> ----
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>mtRealm</realm-name>
> <form-login-config>
> <form-login-page>/index.xhtml</form-login-page>
> <form-error-page>/error.xhtml</form-error-page>
> </form-login-config>
> </login-config>
> ----
>
> Do you know what should be the value of <login-cofig>?
>
> Best regards
> Ali
>
>
> On 2015-01-04 03:34, William wrote:
>> you can define one customer domain, with multiple login modules.
>> some configurations like this:
>>
>> In your <glassfish folder>/domains/domain1/config/login.conf file
>>
>> mtRealm {
>> com.spstudio.xxx.security.XxxCookieLoginModule Sufficient;
>> com.spstudio.xxx.security.XxxJdbcLoginModule Sufficient;
>> };
>>
>> you can use ‘Sufficient’ keyword to indicate that user can login success using any login module.
>>
>>
>>> On Dec 31, 2014, at 10:55 PM, Ali Gholami <gholami_at_kth.se <mailto:gholami_at_kth.se>> wrote:
>>>
>>> Thanks Martin for the reply.
>>>
>>> Right, the declarative security unfortunately allows only one auth method (similar to Tomcat) in web,xml. I want to use both "Basic and Certificate" at the same time. I was thinking if I can create a custom realm to embody both methods in one realm.
>>>
>>> The attached image shows my login page. First category login with the custom Basic realm (Yubikey user) and second one using certificate.
>>>
>>> I think Tomact solves this issue by running two different domains at the same time but I don't know how Glassfish support such usecase.
>>>
>>> Best regards
>>> Ali
>>>
>>>
>>> On 2014-12-31 15:06, Martin Gainty wrote:
>>>> declarative security allows 1 Authentication type per app so you will need 2 web applications one with web.xml of:
>>>> <login-config>
>>>> <auth-method>BASIC</auth-method>
>>>> <realm-name>BASIC Realm</realm-name>
>>>> </login-config>
>>>>
>>>> the other webapp your web.xml will be CERTIFICATE
>>>> <login-config>
>>>> <auth-method>CERTIFICATE</auth-method>
>>>> <realm-name>CERTIFICATE Realm</realm-name>
>>>> </login-config>
>>>>
>>>> Programmatic EJBSecurity allows twiddling Principal/Role information but on a Basic USERNAME_PASSWORD auth method realm
>>>> read this:
>>>>
>>>> auth-method <http://docs.oracle.com/cd/E26576_01/doc.312/e24929/dd-elements.htm#beaqx>
>>>> only one
>>>> Specifies the authentication method. The only supported value is USERNAME_PASSWORD.
>>>> at least for context based you can only have one auth-method allowed
>>>>
>>>> http://docs.oracle.com/cd/E26576_01/doc.312/e24929/dd-elements.htm <http://docs.oracle.com/cd/E26576_01/doc.312/e24929/dd-elements.htm>
>>>>
>>>> also read this:
>>>> Specifying an Authentication Mechanism and Secure Connection
>>>>
>>>> <> <>When method permissions are specified, basic user name/password authentication will be invoked by the GlassFish Server.
>>>> To use a different type of authentication or to require a secure connection using SSL, specify this information in an application deployment descriptor...web.xml
>>>>
>>>>
>>>>
>>>> http://docs.oracle.com/javaee/6/tutorial/doc/bnbyl.html#bnbyu <http://docs.oracle.com/javaee/6/tutorial/doc/bnbyl.html#bnbyu>
>>>>
>>>>
>>>> If I recall correctly Tomcat has the same limitations on one auth-method per webapp
>>>> Martin Gainty
>>>> ______________________________________________
>>>>
>>>>
>>>>
>>>> > Date: Wed, 31 Dec 2014 12:13:29 +0100
>>>> > From: gholami_at_kth.se <mailto:gholami_at_kth.se>
>>>> > To: users_at_glassfish.java.net <mailto:users_at_glassfish.java.net>
>>>> > Subject: [gf-users] Custom realm using x509 certificates and DB realm in Glassfish 3.1.1
>>>> >
>>>> > Hi,
>>>> >
>>>> > I need a custom realm to authenticate two groups of users. One group is
>>>> > authenticated using x509 certificate and another group using a custom
>>>> > two-factor authentication DBRealm (username/one-time password). I wonder
>>>> > if someone knows how to implement such custom realm for these two groups
>>>> > in Glassfish 3.1.1.
>>>> >
>>>> > I was reading the custom realm documentation and it seems I should
>>>> > implement a custom LoginModule (MyCustomLoginModule) that extends
>>>> > AppservCertificateLoginModule and AppservPasswordLoginModule. But as you
>>>> > know multiple inheritance is not allowed in Java and also both these
>>>> > classes have authenticateUser() method in common:
>>>> >
>>>> > --------
>>>> > @Override
>>>> > protected void authenticateUser() throws LoginException {
>>>> > }
>>>> > --------
>>>> >
>>>> > My two-factor DB realm works fine for one group of users as I could
>>>> > extend AppservPasswordLoginModule without any problem:
>>>> >
>>>> > --------
>>>> > public class MyCustomLoginModule extends AppservPasswordLoginModule {
>>>> > @Override
>>>> > protected void authenticateUser() throws LoginException {
>>>> > // my code
>>>> > }
>>>> > }
>>>> > --------
>>>> >
>>>> > Now the issue is adding certificate authentication to the
>>>> > MyCustomLoginModule to enable other group with certificates to be
>>>> > authenticated. I should clarify users with certificates do not use
>>>> > two-factor authentication. They will be only authenticated through their
>>>> > personal x509 certificates protected with a password embedded in their
>>>> > browsers.
>>>> >
>>>> > I would appreciate if someone could give me some hints to solve this
>>>> > problem.
>>>> >
>>>> > Best regards
>>>> > Ali
>>>> >
>>>> >
>>>
>>> 1 attachments
>>> screeshot.png(8K)
>>> download <http://preview.mail.163.com/xdownload?filename=screeshot.png&mid=1tbitwtzPVD%2BahWqWAAAsR&part=3&sign=929d0eb11b204e779ee29c6033096fbd&time=1420334528&uid=streetpoet%40163.com> preview <http://preview.mail.163.com/preview?mid=1tbitwtzPVD%2BahWqWAAAsR&part=3&sign=929d0eb11b204e779ee29c6033096fbd&time=1420334528&uid=streetpoet%40163.com><screeshot.png>
>>
>