users@jersey.java.net

Re: security and auditing based on client SSL certificates

From: Paul Sandoz <Paul.Sandoz_at_Sun.COM>
Date: Mon, 31 Mar 2008 10:58:25 +0200

Hi Gabor,

Gabor Szokoli wrote:
> Hi,
>
> Might be more of an Application Server question than a Jersey
> question, but you guys can probably at least help me phrase that
> question propery :-)
>

I can help point you, but i don't have experience in this myself.


> I have implemented a simple web service with jersey, deploy it to
> GlassFish with the ServletContainer.
> I'd like to completely restrict access to the web service to clients
> with approved SSL certificates. (This is purely a Glassfish issue I
> assume)

I think so:

https://glassfish.dev.java.net/javaee5/security/faq.html#configssl
https://glassfish.dev.java.net/javaee5/security/faq.html#configcert


> Furthermore, my resource class should be aware of some identifyer of
> the client. (audit logs must be produced about every resource access)
>

You mean in a sense "user principle" ?

Jersey 0.6 has a SecurityContext [1] interface that may be injected to
get access to user info stuff. Note that this is only implemented for
Servlet (essentially defers to the methods on the HttpServletRequest).

   java.security.Princple Security SecurityContext.getUserPrincipal()


For more questions on the SSL configuration i recommend sending email to:

   users_at_glassfish.dev.java.net

Paul.

[1]
https://jsr311.dev.java.net/nonav/releases/0.6/javax/ws/rs/core/SecurityContext.html

> Where do I start looking?
>
>
> Gabor Szokoli
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
> For additional commands, e-mail: users-help_at_jersey.dev.java.net
>

-- 
| ? + ? = To question
----------------\
    Paul Sandoz
         x38109
+33-4-76188109