Skip to main content

GF4 Mutual authentication

Please note these java.net forums are being decommissioned and use the new and improved forums at https://community.oracle.com/community/java.
No replies
aschnu
Offline
Joined: 2014-03-27

I use GlassFish 4 and Netbeans 7.4.

I imported SSL certificate to keystores file - it works. (from this tutorial: http://javadude.wordpress.com/2010/04/06/getting-started-with-glassfish-...)
Next, I tried implement certificate authorization (certificate created by keytool) and it works too (from this: http://mohitag80.blogspot.com/2012/02/enabling-certificate-based.html), but "certificate realm" - no, because user can go to places, where he shouldn't have access to but now it isn't main problem.

When I was trying do this (cert Auth) with original certificate (with true CA) it didn't work: My browser couldn't open site. I added certificate (.cer) in cacert.jks file and in glassfish admins panel I selected "Client Authentication" on enabled, but situation didn't change. I downloaded certificate (rootca.crt) and when I imported it to cacert.jks then my certificate (.cer) passed authorization. Unfortunatelly, after this I discovered that everybody with different certificate (.cer) but from (only) this CA may have to authorization to protected resources despite his certificates (.cer) aren't in cacerts.jks. When I deleted my certificate (.cer) from cacerts file I could still login to protected resources. When I deleted rootca (.crt) from cacert I lost my access using this certificate.

I want login to resources using my certificate but other certificates (ex. which aren't in cacerts file) has to block. Is it possible? If yes, where do I make mistake?

I have selected in GF admin: SSL, TLS, Client Authentication.
I have defined Certificate NickName (it works) and Max Certificate Length on 5. Other options in configurations->server-config->HTTP-Services-->HTTP-Listeners>http-listener-2 are on default.