Glassfish 2.1 CLIENT-CERT 如何获得委托人
我有一个 Web 应用程序想要与客户端证书一起使用。我已在 web.xml 中设置了以下内容,并且可以通过 https 访问我的应用程序。
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
握手效果很好。我只是将证书用作一种非常重要的安全措施。我只是想知道所提供的证书的主体,不需要登录。但是,当我尝试从会话中获取主体时,它是空的。
我也尝试过,
X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
但这也是空的。有谁知道我如何从我的证书中获得本金?
非常感谢 努什
I have a Web application that I want to use with a Client Cert. I have set the following up in my web.xml and I can access my application over https.
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
The handshake works fine. I'm only using the cert as a very course grain security measure. I simply wish to know the principal of the supplied cert, no login as such is required. However, when I try to get the principal from the session it's null.
I have also tried
X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
but this is null as well. Does anyone know how I can get the principal from my cert?
Many Thanks
Noush
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您确定 Glasfish 确实请求客户端证书吗?
我尝试对 Tomcat 执行相同的操作,结果发现,如果您将
auth-constraint放入security-constraint中,Tomcat 只会请求客户端证书,如下所示:
auth-constraintTomcat 不需要登录用户,因此不需要请求客户端证书。transport-guarantee仅强制使用 HTTPS。但即便如此,我也必须将证书的用户添加到容器的角色管理中,并为用户分配角色,因为否则用户将无法访问 URL 并获得 HTTP 401 响应。因此,如果您只想要一个客户端证书而不将其与容器中的用户关联,那么它将无法工作。
在 Tomcat 中,当
role-name为*时,您可以配置一个领域来接受没有角色的用户,但您仍然需要将用户添加到身份验证领域,这不会如果您想接受所有受信任的证书并亲自检查证书主体,则没有帮助。也许这对 Glasfish 来说是可能的。Are you sure that Glasfish actually requests a client certificate?
I tried to do the same with Tomcat and I found out, that Tomcat only requests a client certificate if you put an
auth-constraintin yoursecurity-constraintlike this:Without an
auth-constraintTomcat does not need to login the user and so no client certificate needs to be requested. Thetransport-guaranteeonly forces HTTPS.But even with this, I had to add the user of the certificate to the container's role management and assign a role to the user, because otherwise the user will not be able to access the URL and gets a HTTP 401 response. So if you just want a client certificate without associating it with a user in the container, it won't work.
In Tomcat you can configure a realm to accept a user without roles when the
role-nameis*, but you still have to add the user to the authentication realm, which doesn't help if you want to accept all certificates that are trusted and check the certificate principal yourself. Maybe that is possible with Glasfish.