Client-Auth REQUESTED in GlassFish
By Kalpana Karunamurthi on May 31, 2010
Client Authentication is supported in GlassFish. This is one of the most common feature available in any web container.
Client-authentication can be enabled in Glassfish, by enabling the "client-auth-enabled" attribute of the "ssl" element of the http-listener. Currently, the clientauth can either be REQUIRED or NOT-REQUIRED.
But , as per javax.net.ssl.\*, the client-auth can 3 values
- need - REQUIRED. The client certificate is MUST to authenticate
- want - REQUESTED. The client certificate is OPTIONAL to authenticate
- blank - NOT REQUIRED. Do not need a client certificate to authenticate
With 2.1.1 patch 6, we plan to support the "want". This is enabled in the patch by a system property.
In domain.xml, please add the following property to http-listener element
<property name="com.sun.grizzly.ssl.auth" value="want"/>
When the browser prompts for providing the certificate, it becomes optional for the user to accept or deny passing on the certificate, to access the resource. Also, the apps written on top of Glassfish can decide on how they want to authorize such a behavior.
This feature is also available on glassfish v3