Versions Compared

Old Version 5

changes.mady.by.user maojia

Saved on

compared with

New Version 6

changes.mady.by.user maojia

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Create the properties file security realm with the steps described in **. The properties files should be based on the client certificate intended to be used for client authentication. For example, a security realm CertificatePropsRealm with the user and group properties files based on My_Private_key created above is as follows:

Code Block
xml
xml
borderStylesolid
titleExcerpt from user_sample.properties
client1=CN=localhost,OU=Geronimo,O=Apache,L=My_City,ST=My_State,C=CC
client2=CN=localhost2,OU=Geronimo,O=Apache,L=Your_City,ST=Your_State,C=CC
Code Block
xml
xml
borderStylesolid
titleExcerpt from group_sample.properties
admin=client1,client2

Configure the deployment descriptor and deployment plan of your web application to use the properties file security realm created for client authentication. For example, applications which use the HTTP header-based authentication CertificatePropsRealm security realm must configure their deployment descriptor as follows:

Code Block
xml
xml
borderStylesolid
titleExcerpt from web.xml

 <login-config>
      <auth-method>CLIENT-CERT</auth-method>
      <realm-name>Not Required for CLIENT-CERT</realm-name>
</login-config>

where

  • <auth-method>CLIENT-CERT</auth-method>: suggests that the auth-method is set to CLIENT-CERT and thus, the certificate properties file realm is used for client authentication.

The deployment plan is configured as follows:

Code Block
xml
xml
borderStylesolid
titleExcerpt from geronimo-web.xml
<?xml version="1.0" encoding="UTF-8"?>
 <web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-1.1">
 <context-root>/Sample_CertificatePropsRealm</context-root>
 ...
 <security-realm-name>CertificatePropsRealm</security-realm-name>
 <security>
 <principal class="org.apache.geronimo.security.realm.providers.
 GeronimoUserPrincipal" 
 name="client1"/>
 <!-- name should match the entries from cert-users.properties of the realm -->
 </default-principal>
 <role-mappings>
 <role role-name="content-administrator">
 <realm realm-name="CertificatePropsRealm">
 <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" 
 name="admin" designated-run-as="true"/> 
 <!-- name should match the entries from cert-groups.properties of the realm -->
 <principal class="org.apache.geronimo.security.realm.providers.
 GeronimoUserPrincipal" name="client1"/>
 ...
 </realm>
 </role>
 </role-mappings>
 </security>
 </web-app>
You can install a client certificate into the web browser to authenticate against Web servers. The client certificate should be based on the information provided in the group and user properties files. 
...