5

I'm currently building a Java-servlet applcation (using Jersey on GlassFish to be specific). In some parts of the application I need to authenticate the user using basic authentication and in some other parts I need to use client certificates. Which one is used will be based on the path of the request. E.g. /cert/secretMethod1 or /basic/secretMethod2 .

How do I do that? Below is my current web.xml which currently only does basic authentication. I guess I need to use two different but I'd prefer to use only one authentication realm. Are there tags/attributes for web.xml which enables me to specify different auth-methods for different paths of the app?

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>
    TestServer
</display-name>   
<servlet>
    <description>Jersey servlet</description>
    <display-name>Jersey servlet</display-name>
    <servlet-name>JerseyServlet</servlet-name>
    <servlet-class>
        com.sun.jersey.spi.container.servlet.ServletContainer
    </servlet-class>              
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>JerseyServlet</servlet-name>
    <url-pattern>/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
    <welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
    <display-name>TestServer</display-name>
    <web-resource-collection>
        <web-resource-name>TestServer</web-resource-name>
        <description></description>
        <url-pattern>/</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>HEAD</http-method>
        <http-method>PUT</http-method>
        <http-method>OPTIONS</http-method>
        <http-method>TRACE</http-method>
        <http-method>DELETE</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description>Have to be a USER</description>
        <role-name>User</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>jpaCustomRealm</realm-name>
</login-config>
<security-role>
    <description/>
    <role-name>User</role-name>
</security-role>    
</web-app>

2 Answers2

3

Unfortunately, client certificate authentication works at a different layer than the application. So, your best bet would be to re-direct the client to a different SSL listening port that requires client certificate authentication to connect.

E.g.

  1. App connects to https://example.com/basic that uses a standard SSL connection without client certification verification. Works as normal.
  2. App connects to https://example.com/cert that uses a standard SSL connection without client certification verification. Is then redirected to https://example.com:8443/cert that is a SSL connection which requires client certificate verification. App proceeds as normal.
sybreon
  • 7,357
  • 1
  • 19
  • 19
  • Thanks, but unfortunately the clients I'm working with only work on port 443 and 80 so that doesn't work in my case. –  Sep 13 '09 at 16:12
  • Are they not web-browsers? Otherwise, you could try re-directing them to a different IP on port 443 instead. – sybreon Sep 13 '09 at 16:40
  • Nope, they are not web-browsers. Right now it looks like I will create two separate web-modules and configure them with different auth-mechanisms. –  Sep 13 '09 at 16:51
  • I wish I could vote your answer up but my rep. is too low (I need 15p first). –  Sep 16 '09 at 17:14
2

I solved it by creating two separate web-apps (i.e. two modules in IntelliJ or two projects in Eclipse). That way I could configure the authentication-mechanisms separately and have different mechanisms for different paths.