问题
I need help in configuring GF3.1.2 i have done following changes, please do let me know if i am missing anything important as after changes it is NOT working. my id is nilesh2811@gmail.com
I could not found any particular thread or answers in forum if any link is there will be helpful. if you have any document for this please forward.
please do the needful
web.xml
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/faces/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>authorized</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<description/>
<role-name>authorized</role-name>
</security-role>
sun-web.xml
<security-role-mapping>
<role-name>authorized</role-name>
<principal-name>admin</principal-name>
<group-name>authorized</group-name>
</security-role-mapping>
domain.xml
<security-service>
<auth-realm classname="com.sun.enterprise.security.auth.realm.file.FileRealm" name="admin-realm">
<property name="file" value="${com.sun.aas.instanceRoot}/config/admin-keyfile"></property>
<property name="jaas-context" value="fileRealm"></property>
</auth-realm>
<auth-realm classname="com.sun.enterprise.security.auth.realm.file.FileRealm" name="file">
<property name="file" value="${com.sun.aas.instanceRoot}/config/keyfile"></property>
<property name="jaas-context" value="fileRealm"></property>
</auth-realm>
<auth-realm classname="com.sun.enterprise.security.auth.realm.certificate.CertificateRealm" name="certificate">
<property name="assign-groups" value="authorized"></property>
</auth-realm>
回答1:
The login-config section is incomplete in your web.xml
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>certificate</realm-name>
</login-config>
The realm-name content must match the name attribute of auth-realm element in domain.xml, which in your case is "certificate"
[updated]
In addition, the CA certificate must be imported in the server's truststore
${com.sun.aas.instanceRoot}/config/cacerts.jks
回答2:
Actually I tries on glassfish 3.1.2 and it worked under following conditions:
1.I have to use the same key(trust) store of jks type and in the same location. In order to talk with other certificate formats you have to convert them to format jks format can handle.
2.in a glassfish-web.xml you should have like this mapping
<security-role-mapping>
<role-name>manager</role-name>
<group-name>authorized</group-name>
</security-role-mapping>
3.in a domain.xml file you should have the followings:
<auth-realm classname="com.sun.enterprise.security.auth.realm.certificate.CertificateRealm" name="certificate">
<property name="assign-groups" value="authorized"></property>
</auth-realm>
Note: in web.xml you have to have realm name matching domain.xml file
回答3:
When anyone will try this first time it will take time for them to understand, withing simple words, both client and server trust-stores should trust each other certificates, first it is better to use Self-signed certificates exchange certificates to server and client, one can use following article for help which has simplified steps. follow article then you can use your own methods certificates which ever u want.
http://www.slideshare.net/krizsan/scdjws-5-study-notes-3085287
SCDJWS 5 or nowadays know as Oracle Certified Professional, Java EE 5 Web Services Developer Study Notes by Ivan A Krizsan Version: February 23, 2012
回答4:
I have the same problem.
Set "Client Authentication: true" in "http-listener-2".
来源:https://stackoverflow.com/questions/10254610/glassfish-3-1-2-configuration-client-certificate-for-mutual-authentication