...
Create the properties file security realm with the steps described in **. The properties files should be based on the client certificate intended to be used for client authentication. For example, a security realm CertificatePropsRealm
with the user and group properties files based on My_Private_key
created above is as follows:
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
client1=CN=localhost,OU=Geronimo,O=Apache,L=My_City,ST=My_State,C=CC client2=CN=localhost2,OU=Geronimo,O=Apache,L=Your_City,ST=Your_State,C=CC |
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
admin=client1,client2 |
Configure the deployment descriptor and deployment plan of your web application to use the properties file security realm created for client authentication. For example, applications which use the HTTP header-based authentication CertificatePropsRealm
security realm must configure their deployment descriptor as follows:
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Not Required for CLIENT-CERT</realm-name>
</login-config>
|
where
- <auth-method>CLIENT-CERT</auth-method>: suggests that the auth-method is set to
CLIENT-CERT
and thus, the certificate properties file realm is used for client authentication.
The deployment plan is configured as follows:
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-1.1">
<context-root>/Sample_CertificatePropsRealm</context-root>
...
<security-realm-name>CertificatePropsRealm</security-realm-name>
<security>
<principal class="org.apache.geronimo.security.realm.providers.
GeronimoUserPrincipal"
name="client1"/>
<!-- name should match the entries from cert-users.properties of the realm -->
</default-principal>
<role-mappings>
<role role-name="content-administrator">
<realm realm-name="CertificatePropsRealm">
<principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
name="admin" designated-run-as="true"/>
<!-- name should match the entries from cert-groups.properties of the realm -->
<principal class="org.apache.geronimo.security.realm.providers.
GeronimoUserPrincipal" name="client1"/>
...
</realm>
</role>
</role-mappings>
</security>
</web-app>
You can install a client certificate into the web browser to authenticate against Web servers. The client certificate should be based on the information provided in the group and user properties files.
...