Skip to main content

Custom Authentication of Client Certificate in Mutual SSL Scenarios on GlassFish

Posted by kumarjayanti on March 25, 2010 at 5:06 AM PDT

The GlassFish Certificate Realm in V2.X and V3.0 releases is somewhat limiting. Many users expressed the need to able to do some custom authentication based on the client-certificate (or extensions within)  in a Mutual-SSL scenario. And subsequently do custom group assignment's which ultimately affect the authorization results. With V2.X/V3.0 the only two  things that were possible are :

1. Developer can specify a Single CertificateRealm with fixed name "certificate" to be used with CLIENT-CERT authentication mechanism. No LoginModule was allowed for this realm.

 2. Developer's can make use of the assign-groups functionality whereby every client that had a valid certificate (that is also trusted by the server) could be assigned a list of  group(s).

What is now possible with the latest V3.1 builds on the Trunk is the following

a.  The restriction (1) above of a single "certificate" realm remains. However one can now configure a LoginModule for the realm. The LoginModule would have access to the client certificate-chain and it is possible for the developer to do  application specific custom authentication of the client certificate.

b.  Do custom group assignment based on attributes and extensions present in the client certificate.

My team member sudarsan has created a detailed post on this with a sample loginmodule.

Related Topics >>


<p>Kumar,</p> <p>Could I get some help from you to get this ...

Could I get some help from you to get this working? I posted on the Glassfish forum, and you answered there, where I stated that I was using instructions from this page. Everything I see looks like it is some kind of certificate issue, and the instructions are not clear about setting up client certs in the server or the client cert certificate chain. I think that may be the issue, but I am still confused why I never see my LoginModule called, or even loaded.

did u check the other comment from nithya where she ...

did u check the other comment from nithya where she mentioned the name of the property was misspelled as jass-context instead of jaas-context in the Realm Definition.

Problem with certificaterealm loginModule glasfish 3.1 new

I have problems with commitUserAuthentication, I get the following error: HTTP Status 403 - Access to the requested resource has-been denied. I have my groups within a table in a database, and make a query with the identification of the certificate and get the group, but when I use commitUserAuthentication does not work, Greetings Gary, thanks for your help and quick response

 hi, sorry for the late


sorry for the late reply. Please post ur questions on users@glassfish and maybe i can help there and there will be others who can also help


Problem with certificaterealm loginModule glasfish 3.1

i don't to create the java-context like a propertie in glassfish 3.1, I can not call the class CertificateLM would you help me? I need to solve this I issued the following command and gave me no results # /bin/asadmin set already solved

What about v2.1.1

Hello Kumar , thanks for your hard work in this area. I currently need something very similar: What I want to know is if you will be porting this functionality back to the 2.1 branch and if not is there any way that I can back port it myself?

 If you are a GFV2 customer

 If you are a GFV2 customer then you can demand that this feature be available as a patch. Otherwise as you know there are no more source code changes in V2, only customer patches.

Failed to validate certificate from WSIT Client for WCF Service

Hi Kumar, I have been reading you several articles on WSIT and they gave me a good foundation on how to develop a WSIT client for a WCF Web service. I am currently stuck with a issue for more than 4 days and could not find a solution. I am writing a WSIT client for a WCF web service which requires a mutual certificate authentication. i received the .pfx file from the service provider which i imported to the java truststore. Because of i was getting an exception for the serverfake certificate, i added that too to the truststore. netbeans createss the following entry in the service.svc.xml: with this configuration in hand, when i invoke the web service method, i receive this exception: SEVERE: WSS1518: Failed to validate certificate the trustAnchors parameter must be non-empty I would appreciate if you can kindly help me in fixing this issue. Thank you very much in advance.

It means that the you do not

It means that the you do not have the Client side  truststore configured properly or somehow the WSIT runtime is not able to locate the truststore.  You may send email to since it is very cumbersome to converse through comments.


client howto

Hi man, May be you can help me, I programing a .jar that invoke a WS WSDL with metro 2.0. The invoke must sing with a X.509, I have the files .cer, .key and .key. Do you known how I do that ? thanks! my email is