Custom Authentication of Client Certificate in Mutual SSL Scenarios on GlassFish
The GlassFish Certificate Realm in V2.X and V3.0 releases is somewhat limiting. Many users expressed the need to able to do some custom authentication based on the client-certificate (or extensions within) in a Mutual-SSL scenario. And subsequently do custom group assignment's which ultimately affect the authorization results. With V2.X/V3.0 the only two things that were possible are :
1. Developer can specify a Single CertificateRealm with fixed name "certificate" to be used with CLIENT-CERT authentication mechanism. No LoginModule was allowed for this realm.
2. Developer's can make use of the assign-groups functionality whereby every client that had a valid certificate (that is also trusted by the server) could be assigned a list of group(s).
What is now possible with the latest V3.1 builds on the Trunk is the following
a. The restriction (1) above of a single "certificate" realm remains. However one can now configure a LoginModule for the realm. The LoginModule would have access to the client certificate-chain and it is possible for the developer to do application specific custom authentication of the client certificate.
b. Do custom group assignment based on attributes and extensions present in the client certificate.
My team member sudarsan has created a detailed post on this with a sample loginmodule.