2

Hello everyone I'm trying to use plain SSL between my web service and a client application. They are both running in GlassFish 2.1.1 and are each in seperate domains. The client application is itself web application and I have add the JVM option -Dcom.sun.enterprise.security.httpsOutboundKeyAlias=s1as in order to get it to send it's certificate to the Web Services.

I've done the importing of the certificates into each others trust stores and it all works. The problem is that I need to do some things with the client certificate in the Web Service, but calling the getUserPrincipal method of the WebServiceContext that I declared earlier always returns ANONYMOUS.

Why is it doing this and how can I get back what's in the certificate.

edit: I guess I should mention that I created a CA and created new private keys and certificates which were signed by the CA for both the WS and the Client. I add the private keys to their keystores using the same S1AS default name and the new signed certificates plus the CA certificate to their trust stores.

I am protecting the WS with the following rule in web.xml:

<security-constraint>
    <display-name>Constraint1</display-name>
    <web-resource-collection>
        <web-resource-name>Customer</web-resource-name>
        <description/>
        <url-pattern>/basecustomer*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>WSClient</role-name>
    </auth-constraint>
    <user-data-constraint>
        <description/>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>certificate</realm-name>
</login-config>
<security-role>
    <description/>
    <role-name>WSClient</role-name>
</security-role>

And the following in my sun-web.xml:

<security-role-mapping>
    <role-name>WSClient</role-name>
    <group-name>WSClient</group-name>
</security-role-mapping>

And finally in GlassFish under the Configuration -> Security -> Realms -> certificate I told it to Assign Group: WSClient

Hiro2k
  • 5,254
  • 4
  • 23
  • 28
  • Are you using the certificate realm? Are you following the advice of a particular site/document and not getting the expected response? A bit more info may help generate a useful response to this question. – vkraemer Jul 22 '10 at 20:58
  • Yes I am using the certificate realm. It is all working because without the -Dcom.sun.enterprise.security.httpsOutboundKeyAlias=s1as option the WS can't even send a request to the WS. The problem is that in the WS operation I create a new resource: @Resource WebServiceContext wsContext; and later call the wsContext.getUserPrincipal() method and it returns ANONYMOUS. – Hiro2k Jul 23 '10 at 23:04
  • Thanks for extending your question with relevant info. – vkraemer Jul 27 '10 at 15:10
  • This message is cross-posted to the GlassFish forum: http://forums.java.net/jive/thread.jspa?messageID=478662 – vkraemer Jul 27 '10 at 15:13

3 Answers3

0

It looks like you have not declared a user-name for the authentication, so ANONYMOUS is the correct answer.

The getUserPrincipal() doesn't read the cert to determine the user-name.

If you need to get the cert to perform actions based on its content, you need to get it a different way.

You may want to read through this article about client-cert authentication for more info and tips. The article is fairly old, but the concepts and mechanisms have not changed a lot.

vkraemer
  • 9,864
  • 2
  • 30
  • 44
  • I know this was a while ago but I just wanted to mention that the documenation here: http://download.oracle.com/javaee/5/tutorial/doc/bnbxj.html states that "In the certificate realm, the server stores user credentials in a certificate database. When using the certificate realm, the server uses certificates with the HTTPS protocol to authenticate web clients. To verify the identity of a user in the certificate realm, the authentication service verifies an X.509 certificate. The common name field of the X.509 certificate is used as the principal name." – Hiro2k Dec 22 '10 at 23:32
0

Wow, I had to double check I hadn't stumbled onto my own question by mistake.

Maybe I'm wrong, but I was under the impression that because your authentication is done at the web server level the web service level can't reach it? Anyway my method to solve my own problem is shown here. Maybe it will help.

Community
  • 1
  • 1
Catchwa
  • 5,845
  • 4
  • 31
  • 57
  • Hi Catchwa, I saw your thread during my long search and it didn't help because the context.getUserPrincipal().toString() that you call always still returns Anonymous. I've tried so many different configurations and none of it works. I'm going to attempt to create my own Security REALM and JAAS handler and see how that works. – Hiro2k Aug 10 '10 at 16:40
0

After not being able to resolve this issue, I'm going to wait for GlassFish 3.1 which adds more authentication options to the certificate realm as described by Kumar Jayanti here: http://weblogs.java.net/blog/kumarjayanti/archive/2010/03/25/custom-authentication-client-certificate-mutual-ssl-scenarios-g

I hope that with this I can get around this issue. I'll post an update once I've tried it out on the final GlassFish 3.1 release.

Hiro2k
  • 5,254
  • 4
  • 23
  • 28