mercredi 24 juin 2015

Client-cert authorization on glassfish

I've implemented client-cert authentication in a web service on Glassfish, and it works fine. But I tried to make authorization by the principal name of client certificate and this doesn't work.

My application web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://ift.tt/ra1lAU"
    xmlns="http://ift.tt/nSRXKP"
    xsi:schemaLocation="http://ift.tt/nSRXKP http://ift.tt/LU8AHS"
    id="WebApp_ID" version="2.5">
    <display-name>WsServer</display-name>
    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
        <welcome-file>default.html</welcome-file>
        <welcome-file>default.htm</welcome-file>
        <welcome-file>default.jsp</welcome-file>
    </welcome-file-list>
    <security-constraint>
        <display-name>WebServiceSecurity</display-name>

        <web-resource-collection>
            <web-resource-name>Authorized users only</web-resource-name>
            <url-pattern>/services/WsServerImpl</url-pattern>
        </web-resource-collection>

        <auth-constraint>
            <role-name>user</role-name>
        </auth-constraint>

        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>

    </security-constraint>
    <!-- CLIENT-CERT authorization -->
    <login-config>
        <auth-method>CLIENT-CERT</auth-method>
    </login-config>

    <!-- Definition of role -->
    <security-role>
        <role-name>user</role-name>
    </security-role>

    <servlet>
        <display-name>Apache-Axis Servlet</display-name>
        <servlet-name>AxisServlet</servlet-name>
        <servlet-class>org.apache.axis.transport.http.AxisServlet</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>AxisServlet</servlet-name>
        <url-pattern>/servlet/AxisServlet</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>AxisServlet</servlet-name>
        <url-pattern>*.jws</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>AxisServlet</servlet-name>
        <url-pattern>/services/*</url-pattern>
    </servlet-mapping>
    <servlet>
        <display-name>Axis Admin Servlet</display-name>
        <servlet-name>AdminServlet</servlet-name>
        <servlet-class>org.apache.axis.transport.http.AdminServlet</servlet-class>
        <load-on-startup>100</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>AdminServlet</servlet-name>
        <url-pattern>/servlet/AdminServlet</url-pattern>
    </servlet-mapping>
</web-app>

and my glassfish-web.xml:

<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD 
GlassFish Application Server 3.1 Servlet 3.0//EN" 
"http://ift.tt/1eIAoSp">
<glassfish-web-app>    
    <security-role-mapping>
        <role-name>user</role-name>         
        <principal-name>CN=Name, OU=Department,
     O=Organization, L=City, ST=State,
     C=nl</principal-name>      
    </security-role-mapping>
</glassfish-web-app>

The value of principal-name is the DN of certificate.

On glassfish, I have the option "Client Authentication" enable.
If I try to get the web service from a web service client with any certificate that is imported on trustore of glassfish, this work fine, but I need that a client get the web service only if this has the certificate specified in the glassfish-web.xml, because I want to have several web service with different clients certs.

Aucun commentaire:

Enregistrer un commentaire