Home/ Questions/Q 3810120
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T15:24:39+00:00

Hello everyone I’m trying to use plain SSL between my web service and a

  • 0

Hello everyone I’m trying to use plain SSL between my web service and a client application. They are both running in GlassFish 2.1.1 and are each in seperate domains. The client application is itself web application and I have add the JVM option -Dcom.sun.enterprise.security.httpsOutboundKeyAlias=s1as in order to get it to send it’s certificate to the Web Services.

I’ve done the importing of the certificates into each others trust stores and it all works. The problem is that I need to do some things with the client certificate in the Web Service, but calling the getUserPrincipal method of the WebServiceContext that I declared earlier always returns ANONYMOUS.

Why is it doing this and how can I get back what’s in the certificate.

edit:
I guess I should mention that I created a CA and created new private keys and certificates which were signed by the CA for both the WS and the Client. I add the private keys to their keystores using the same S1AS default name and the new signed certificates plus the CA certificate to their trust stores.

I am protecting the WS with the following rule in web.xml:

<security-constraint>
    <display-name>Constraint1</display-name>
    <web-resource-collection>
        <web-resource-name>Customer</web-resource-name>
        <description/>
        <url-pattern>/basecustomer*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>WSClient</role-name>
    </auth-constraint>
    <user-data-constraint>
        <description/>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>certificate</realm-name>
</login-config>
<security-role>
    <description/>
    <role-name>WSClient</role-name>
</security-role>

And the following in my sun-web.xml:

<security-role-mapping>
    <role-name>WSClient</role-name>
    <group-name>WSClient</group-name>
</security-role-mapping>

And finally in GlassFish under the Configuration -> Security -> Realms -> certificate I told it to Assign Group: WSClient

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    After not being able to resolve this issue, I’m going to wait for GlassFish 3.1 which adds more authentication options to the certificate realm as described by Kumar Jayanti here:
    http://weblogs.java.net/blog/kumarjayanti/archive/2010/03/25/custom-authentication-client-certificate-mutual-ssl-scenarios-g

    I hope that with this I can get around this issue. I’ll post an update once I’ve tried it out on the final GlassFish 3.1 release.

    • 0