users@jersey.java.net

[Jersey] Re: _at_Context SecurityContext not initialized with SSL client certs

From: Oleksiy Stashok <oleksiy.stashok_at_oracle.com>
Date: Tue, 15 May 2012 14:12:47 +0200

Hi Chris,

you can get the client SSL config from Grizzly Request via standard
Servlet attributes:
http://docs.oracle.com/cd/E17802_01/products/products/servlet/2.1/api/javax.servlet.ServletRequest.html#getAttribute%28javax.servlet.String%29

I'm not that familiar w/ Jersey, so not sure if it's possible to
map/retrieve those attributes' values using injections.

Thanks.

WBR,
Alexey.

On 05/14/2012 05:03 PM, Christopher Larrieu wrote:
> I'm authenticating the client via SSL. SecurityContext is not being set.
>
> I had to inject the Grizaly-specific Request to get the peer certs via
> the connection's SSLEngine.
>
> The following example illustrates the issue I am having. (I'm using
> jersey-grizzly2, version 1.12)
>
> Thanks for any assistance,
>
> Chris
>
>
> =====================================
> Resource:
> =====================================
> @Path("/hello")
> public class Hello {
> @GET
> @Produces("text/plain")
> public String get(@Context SecurityContext sec, @Context
> ThreadLocal<Request> request) throws SSLPeerUnverifiedException {
> System.out.println("Hello.get()");
> try {
> System.out.printf("sec.isSecure()=%s",sec.isSecure());
> System.out.printf("sec.getUserPrincipal()=%s%n",sec.getUserPrincipal());
> }
> catch (Throwable t) {
> System.out.println(t);
> System.out.println("Oops. Looks like SecurityContext is not set. I
> wonder why?");
> }
> Request r = request.get();
> X500Principal p = (X500Principal)
> SSLUtils.getSSLEngine(r.getContext().getConnection()).getSession().getPeerPrincipal();
> String cn = p.getName("CANONICAL").split("cn=")[1].split(",")[0];
> System.out.printf("cn=%s%n",cn);
> System.out.println("Oh, that's nice. I can get the client certs via
> the Grizzly connection-specfic SSLEngine. But that's kind of a hack.");
> return String.format("Hello, %s",cn);
> }
> }
>
>
> =====================================
> Output:
> =====================================
> Hello.get()
> java.lang.UnsupportedOperationException
> Oops. Looks like SecurityContext is not set. I wonder why?
> cn=larrieu
> Oh, that's nice. I can get the client certs via the Grizzly
> connection-specfic SSLEngine. But that's kind of a hack.
>
>
> =====================================
> Server entry point:
> =====================================
> public static void main(String[] args) {
> try {
> URI uri = new URI(BASE_URI);
> SSLContext ssc = ServerCertificateManager.getSSLContext();
> SSLEngineConfigurator sec = new
> SSLEngineConfigurator(ssc).setClientMode(false).setNeedClientAuth(true);
> ResourceConfig rc = new
> PackagesResourceConfig("org.jlab.scicomp.server.resources");
> HttpHandler handler =
> ContainerFactory.createContainer(HttpHandler.class, rc);
> HttpServer https = GrizzlyServerFactory.createHttpServer(uri, handler,
> true, sec);
> https.start();
> System.in.read();
> }
> catch (Exception e) {
> // TODO Auto-generated catch block
> e.printStackTrace();
> }
> }
>
>