Hi Paul,
Thanks for the response. I'm using Jetty (6.1.22), but I've had some
experience using certs, so I'm familiar with what needs to be done in
the server-side trust and key stores. I've enabled SSL in Jetty and
configured server-side stores. I've also enabled want-client-cert in the
SSL connector so that the server requests the cert from the client (but
doesn't demand it).
In my earlier comments, I mentioned that I'd noticed an SSL exception
(in the log) on access before I added the client cert to the server's
truststore. Once I did that, the exception went away. Thus, I know that
the SSL layer is (probably) correctly processing the certificate exchange.
What I don't know how to do is get the cert from the SSL layer up to the
application layer in the form of an authenticated principal. I did a bit
more research and discovered the web.xml login-config element and its
child element, auth-method. Setting auth-method to CLIENT-CERT should
probably have done the trick, but it didn't seem to help - the result of
a call to getUserPrincipal on the request object still produces a null
reference. I'm thinking there must be a bit more to it than just using
the login-config element.
Thanks,
John
On 9/9/2010 4:48 AM, Paul Sandoz wrote:
> Hi John,
>
> What Web container are you using? I think you may need to register the
> cert on the server side as well.
>
> Paul.
>
> On Sep 9, 2010, at 1:50 AM, John Calcote wrote:
>
>> I've managed to successfully install a ContainerRequestFilter that
>> currently just displays (logs) the principal via
>> ContainerRequest.getUserPrincipal(). When I tested, I found I was
>> getting an SSL exception - unknown cert (from my browser). I installed
>> my browser's cert into the truststore, and the SSL error went away, but
>> the Principal returned is still null.
>>
>> What do I have to do in Jersey/Spring to get the request's Principal
>> object to be populated with the X.509 certificate identity (subjectName,
>> or whatever)? Clearly, I'm missing some wiring here.
>>
>> Thanks,
>> John
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
>> For additional commands, e-mail: users-help_at_jersey.dev.java.net
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
> For additional commands, e-mail: users-help_at_jersey.dev.java.net
>
>