Grizzly does not honor a config setting of clientAuth="want"
Secure admin requires the admin listener to want SSL client auth. Thanks to
Justin's config script enable-secure-admin sets that config option.
The GrizzlyRequest.getUserPrincipal always returns null, though. After testing
with javax.net.debug=ssl I found that the server never asks the client for a cert.
As a further test, I configured the listener with clientAuth="need" and then the
logging showed the client cert exchange and GrizzlyRequest.getUserPrincipal
returned the correct Principal object.
It looks as if, in the Grizzly utils module, JSSE14SocketFactory looks for an
attribute named "clientauth" and, if found, uses its value to invoke
sslSocket.setNeedClientAuth. There seems to be no way for a caller to specify
that setWantClientAuth should be invoked instead.
I am not sure if GlassFish or other part of Grizzly is already setting an
attribute that these classes could inspect to distinguish between "need" and
"want" or whether that code might need to change also so the config info in
domain.xml is propagated into Grizzly and, eventually, the SSLSocket.