glassfish
  1. glassfish
  2. GLASSFISH-14443

[BLOCKING] Grizzly does not use setNeedClientAuth on SSLSocket despite config setting

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 3.1
    • Fix Version/s: 3.1_b28
    • Component/s: grizzly-kernel
    • Labels:
      None
    • Environment:

      Operating System: All
      Platform: All

    • Issuezilla Id:
      14,443

      Description

      Grizzly does not honor a config setting of clientAuth="want"

      Secure admin requires the admin listener to want SSL client auth. Thanks to
      Justin's config script enable-secure-admin sets that config option.

      The GrizzlyRequest.getUserPrincipal always returns null, though. After testing
      with javax.net.debug=ssl I found that the server never asks the client for a cert.

      As a further test, I configured the listener with clientAuth="need" and then the
      logging showed the client cert exchange and GrizzlyRequest.getUserPrincipal
      returned the correct Principal object.

      It looks as if, in the Grizzly utils module, JSSE14SocketFactory looks for an
      attribute named "clientauth" and, if found, uses its value to invoke
      sslSocket.setNeedClientAuth. There seems to be no way for a caller to specify
      that setWantClientAuth should be invoked instead.

      I am not sure if GlassFish or other part of Grizzly is already setting an
      attribute that these classes could inspect to distinguish between "need" and
      "want" or whether that code might need to change also so the config info in
      domain.xml is propagated into Grizzly and, eventually, the SSLSocket.

        Activity

        Hide
        Ryan Lubke added a comment -

        Issue resolved in the grizzly workspace (grizzly~svn:5359). Tim confirmed the fix.

        Grizzly 1.9.22 integrated into 3.1-b28 branch.

        Show
        Ryan Lubke added a comment - Issue resolved in the grizzly workspace (grizzly~svn:5359). Tim confirmed the fix. Grizzly 1.9.22 integrated into 3.1-b28 branch.

          People

          • Assignee:
            Justin Lee
            Reporter:
            Tim Quinn
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: