Optional client cert authentication / fallback to basic
Hello glassfish users,
I would like to use the same URL with two methods
of authentication : client certificate, and if none is supplied
then basic http.
However, this seems impossible to do since if the URL
is defined as CLIENT_CERT, then if client does not supply
its certificate, request process is aborted by glassfish
before it reaches application code (where a filter could
handle basic authentication).
I am aware of the following optional certificate feature
and thought it would solve my problem.
However the main drawback is that this is defined on the
connector itself, and is thus common to all URLs : on the
client side, it triggers a certificate choice popup (or password
credentials on java webstarts) even on unauthenticated
URLs. This is not an option.
Would it be possible to do a per-url optional certificate,
may be by defining several login methods in web.xml or so.
Any advice on this topic will be appreciated, even if this is
I have also considered JSR-196, but could not figure out
if this may solve my problem or not.
I use GF 18.104.22.168