Skip to main content

Optional client cert authentication / fallback to basic

4 replies [Last post]
momaison
Offline
Joined: 2008-09-29

Hello glassfish users,

I would like to use the same URL with two methods
of authentication : client certificate, and if none is supplied
then basic http.
However, this seems impossible to do since if the URL
is defined as CLIENT_CERT, then if client does not supply
its certificate, request process is aborted by glassfish
before it reaches application code (where a filter could
handle basic authentication).

I am aware of the following optional certificate feature
http://java.net/jira/browse/GLASSFISH-6935
and thought it would solve my problem.
However the main drawback is that this is defined on the
connector itself, and is thus common to all URLs : on the
client side, it triggers a certificate choice popup (or password
credentials on java webstarts) even on unauthenticated
URLs. This is not an option.

Would it be possible to do a per-url optional certificate,
may be by defining several login methods in web.xml or so.
Any advice on this topic will be appreciated, even if this is
glassfish/grizzly specific.

I have also considered JSR-196, but could not figure out
if this may solve my problem or not.
I use GF 3.1.2.2

Regards,

M .Maison

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Kumar Jayanti Guest
Offline
Joined: 2011-04-02

If you wish to do that then you will need to write a JSR 196 SAM and plug it in with your.

http://docs.oracle.com/cd/E18930_01/html/821-2435/gkkyv.html

https://blogs.oracle.com/monzillo/entry/pluggable_authentication_in_the_...

On Jan 28, 2013, at 12:18 AM, Mo Maison wrote:

>
> Hello glassfish users,
>
> I would like to use the same URL with two methods
> of authentication : client certificate, and if none is supplied
> then basic http.
> However, this seems impossible to do since if the URL
> is defined as CLIENT_CERT, then if client does not supply
> its certificate, request process is aborted by glassfish
> before it reaches application code (where a filter could
> handle basic authentication).
>
> I am aware of the following optional certificate feature
> http://java.net/jira/browse/GLASSFISH-6935
> and thought it would solve my problem.
> However the main drawback is that this is defined on the
> connector itself, and is thus common to all URLs : on the
> client side, it triggers a certificate choice popup (or password
> credentials on java webstarts) even on unauthenticated
> URLs. This is not an option.
>
> Would it be possible to do a per-url optional certificate,
> may be by defining several login methods in web.xml or so.
> Any advice on this topic will be appreciated, even if this is
> glassfish/grizzly specific.
>
> I have also considered JSR-196, but could not figure out
> if this may solve my problem or not.
> I use GF 3.1.2.2
>
> Regards,
>
> M .Maison

momaison
Offline
Joined: 2008-09-29

Hello,

I didn't managed to make it work. After some researchs though,
I am not sure that this authentication method fallback is achievable
with Glassfish : I managed to request client certificate by calling
request.getAttribute("org.apache.coyote.request.X509Certificate"),
however if client does not have any, then ssl connection is broken.
Thus no chance to negotiate http basic authentication after that.

I managed anyway to find a kind of workaround thanks to the
links below.
Thank you for your advices !

Regards,

M. Maison

Le 28/01/2013 07:04, KumarJayanti a écrit :
> If you wish to do that then you will need to write a JSR 196 SAM and
> plug it in with your.
>
> http://docs.oracle.com/cd/E18930_01/html/821-2435/gkkyv.html
>
> https://blogs.oracle.com/monzillo/entry/pluggable_authentication_in_the_...
>
> On Jan 28, 2013, at 12:18 AM, Mo Maison wrote:
>
>>
>> Hello glassfish users,
>>
>> I would like to use the same URL with two methods
>> of authentication : client certificate, and if none is supplied
>> then basic http.
>> However, this seems impossible to do since if the URL
>> is defined as CLIENT_CERT, then if client does not supply
>> its certificate, request process is aborted by glassfish
>> before it reaches application code (where a filter could
>> handle basic authentication).
>>
>> I am aware of the following optional certificate feature
>> http://java.net/jira/browse/GLASSFISH-6935
>> and thought it would solve my problem.
>> However the main drawback is that this is defined on the
>> connector itself, and is thus common to all URLs : on the
>> client side, it triggers a certificate choice popup (or password
>> credentials on java webstarts) even on unauthenticated
>> URLs. This is not an option.
>>
>> Would it be possible to do a per-url optional certificate,
>> may be by defining several login methods in web.xml or so.
>> Any advice on this topic will be appreciated, even if this is
>> glassfish/grizzly specific.
>>
>> I have also considered JSR-196, but could not figure out
>> if this may solve my problem or not.
>> I use GF 3.1.2.2
>>
>> Regards,
>>
>> M .Maison
>

Kumar Jayanti Guest
Offline
Joined: 2011-04-02

On Feb 3, 2013, at 3:20 PM, Mo Maison wrote:

>
> Hello,
>
> I didn't managed to make it work. After some researchs though,
> I am not sure that this authentication method fallback is achievable
> with Glassfish : I managed to request client certificate by calling
> request.getAttribute("org.apache.coyote.request.X509Certificate"),
> however if client does not have any, then ssl connection is broken.
> Thus no chance to negotiate http basic authentication after that.
>
> I managed anyway to find a kind of workaround thanks to the
> links below.
What is the workaround, i am curios.
> Thank you for your advices !
>
> Regards,
>
> M. Maison
>
>
> Le 28/01/2013 07:04, KumarJayanti a écrit :
>> If you wish to do that then you will need to write a JSR 196 SAM and plug it in with your.
>>
>> http://docs.oracle.com/cd/E18930_01/html/821-2435/gkkyv.html
>>
>> https://blogs.oracle.com/monzillo/entry/pluggable_authentication_in_the_...
>>
>> On Jan 28, 2013, at 12:18 AM, Mo Maison wrote:
>>
>>>
>>> Hello glassfish users,
>>>
>>> I would like to use the same URL with two methods
>>> of authentication : client certificate, and if none is supplied
>>> then basic http.
>>> However, this seems impossible to do since if the URL
>>> is defined as CLIENT_CERT, then if client does not supply
>>> its certificate, request process is aborted by glassfish
>>> before it reaches application code (where a filter could
>>> handle basic authentication).
>>>
>>> I am aware of the following optional certificate feature
>>> http://java.net/jira/browse/GLASSFISH-6935
>>> and thought it would solve my problem.
>>> However the main drawback is that this is defined on the
>>> connector itself, and is thus common to all URLs : on the
>>> client side, it triggers a certificate choice popup (or password
>>> credentials on java webstarts) even on unauthenticated
>>> URLs. This is not an option.
>>>
>>> Would it be possible to do a per-url optional certificate,
>>> may be by defining several login methods in web.xml or so.
>>> Any advice on this topic will be appreciated, even if this is
>>> glassfish/grizzly specific.
>>>
>>> I have also considered JSR-196, but could not figure out
>>> if this may solve my problem or not.
>>> I use GF 3.1.2.2
>>>
>>> Regards,
>>>
>>> M .Maison
>>

momaison
Offline
Joined: 2008-09-29

Le 03/02/2013 11:03, KumarJayanti a écrit :
> On Feb 3, 2013, at 3:20 PM, Mo Maison wrote:
>
>> Hello,
>>
>> I didn't managed to make it work. After some researchs though,
>> I am not sure that this authentication method fallback is achievable
>> with Glassfish : I managed to request client certificate by calling
>> request.getAttribute("org.apache.coyote.request.X509Certificate"),
>> however if client does not have any, then ssl connection is broken.
>> Thus no chance to negotiate http basic authentication after that.
>>
>> I managed anyway to find a kind of workaround thanks to the
>> links below.
> What is the workaround, i am curios.
>

It is a workaround for the initial problem of being able
to authenticate with a certificate OR a login/pw.
I gave up about using the same URL, so I duplicated them.

Basically, I have setup a tiny war with /x509 context, which
requests a client cert for any path, and internally forwards
request to the URL path following /x509 (this targets
the original application war).
Thus a client with login/pw will use the usual URL /xxx/yyy
whereas a client with certificate will use URL /x509/xxx/yyy

Authentication type is not transparent (and I can not imagine
a way for automatic redirects ; maybe by requiring preemptive
basic authentication for clients, and asking for a client cert
if no Authorization: header is found ?) ; ideas are welcome.

Also for a web site this may require some url rewriting.

M. Maison