I posted my blogs on GlassFish V3.1 Security at http://blogs.sun.com/gfsecurity/ due to the non-availability of java.net during the V3.1 release.
GlassFish users who make use of CLIENT-CERT authentication with SSL in their JavaEE applications should consider upgrading to JDK1.6.0_22.
The GlassFish Certificate Realm in V2.X and V3.0 releases is somewhat limiting. Many users expressed the need to able to do some custom authentication based on the client-certificate (or extensions within) in a Mutual-SSL scenario. And subsequently do custom group assignment's which ultimately affect the authorization results.
Embedded GlassFish v3 is a delivery vehicle of GFv3 so that applications and tools can use GFv3 just as a library, inside their JVM. More details on this can be found on the separate project page that has been created for Embedded GlassFish.
Many users often ask the question : Can i use a custom JAAS Login Module instead of the Proprietary GlassFish Custom Realms for user authentication ?.
Servlet 3.0 specification which is part of JavaEE 6 has many new features and some of them are in the area of security.
Shing Wai's post explains the @ServletSecurity annotation that has been introduced newly in JavaEE 6 (Servlet 3.0 specification).
In this post i would like to provide a brief summary of some of the Propietary Features and implementation details of SAAJ 1.3.4 that are not necessarily related to the SAAJ API specifications.
The Java KeyStore API supports multiple keystore formats which include JKS( the default Java KeyStore), PKCS12, PKCS11 etc.
Metro Security has a pluggable architecture and it makes use of JSR 196 (SOAP Profile) to achieve this pluggability. The use of JSR-196 provides a standard way to integrate Metro with the Authentication and Authorization Infrastructure of the underlying container. Though not all containers on which metro can run today support JSR 196, the idea is that as more and m