It's not clear how users, groups and roles are related in Glassfish.
Glassfish's sun-web.xml lets you associate multiple principals and groups
with each role, but it's not clear how to get at that information using
javax.ws.rs.core.SecurityContext. SecurityContext lets you get the user
principal, but how do I get the list of groups and roles associated with
this principal? I can't seem to find good documentation on this topic. Any
ideas?
Gili
Steve Sims wrote:
>
> Hi Gili,
>
> I've only written a test harness (using the pre-Jersey 1.0.2
> HttpURLConnection based client not the new Apache based one) to
> communicate with my local machine using HTTPS, so I don't known too much
> about Java's security mechanisms but basically, Java keeps its trusted
> certificates in keyfiles that are modified using the keytool application
> supplied with the Java distribution and therefore if you have a trusted
> certificate for the server imported, or the certificate's been issued by
> a certificate authority whose certificate is in the trust store, then it
> should take care of everything for you when you open up a connection.
>
> If you don't have a trusted CA signed (i.e. commercial) certificate then
> you can create a keyfile containing your server's key and distribute
> that along with the client. I did the following within my test harness:
>
> 1) Point firefox towards https://localhost:8081/v1/core/
> 2) Click Tools->Page Info
> 3) Click the Security tab
> 4) Click the View Certificate button
> 5) Click the Details tab
> 6) Click the Export button and export the file as a PEM to somewhere
> 7) Bring up a shell to the place that the PEM file is stored
> 8) Create a new keyfile: keytool -importcert -alias "localhost" -file
> localhost.pem
> 9) Enter a password for the file such as "adminadmin"
>
> You then need to supply some system properties in order to get the JVM
> to load your keystores. Also, if you're testing on the local machine,
> because there's no DNS to resolve "localhost", I have to do the
> following test only HostnameVerifier hack:
>
> HttpsURLConnection.setDefaultHostnameVerifier(
> new javax.net.ssl.HostnameVerifier() {
>
> public boolean verify(String hostname, SSLSession sslSession) {
> if (hostname.equals("localhost")) {
> return true;
> }
> return false;
> }
> });
>
> System.setProperty("javax.net.ssl.keyStore", <generated keystore
> filename>);
> System.setProperty("javax.net.ssl.keyStorePassword", "adminadmin");
> System.setProperty("javax.net.ssl.trustStore", <generated keystore
> filename>);
> System.setProperty("javax.net.ssl.trustStorePassword", "adminadmin");
>
> There are ways to programmatically update the default keystore however
> using classes such as java.security.KeyStore etc.
>
> It helps, whilst trying to get it working to turn on the debug as well:
>
> System.setProperty("javax.net.debug", "ssl,handshake,record");
>
> Anyway, there's lots of information here that will explain things better
> than I have - there's just a lot to it! :
>
> http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
>
> As far as the username and password issue goes, are you talking about
> HTTP BASIC authentication? If so, the new Apache based Jersey client is
> probably the way to go, see
> https://jersey.dev.java.net/servlets/ReadMsg?list=users&msgNo=4165
>
> Hope this helps a little, it's quite a big area and took me a while to
> just get something working - then as soon as I had it I moved on!
>
> Steve
>
> Gili wrote:
>> Hi,
>>
>> What is the best way to communicate over SSL using Jersey? I expect the
>> client to:
>>
>> 1) Request and verify the server certificate
>> 2) Encrypt and send the data to the server
>>
>> I have the following questions:
>>
>> - How do I request the server certificate (assuming it is found in a CA)?
>> - How do I verify it?
>> - How do I configure an event listener to prompt me for a user name and
>> password when it's needed?
>> - Do I need a commercial SSL certificate? Do I lose anything by
>> hard-coding
>> my public key into the client? Granted I'll need to issue new clients if
>> the
>> server key changes, but is there anything else?
>>
>> Thank you,
>> Gili
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
> For additional commands, e-mail: users-help_at_jersey.dev.java.net
>
>
>
--
View this message in context: http://n2.nabble.com/Full-fledged-SSL-under-Jersey-tp2402900p2412855.html
Sent from the Jersey mailing list archive at Nabble.com.