WebServiceContext.getUserPrincipal returns "ANONYMOUS" when using mutual authentication

Question

I'm creating a web service (and test client) that uses mutual authentication. I've used this guide to create a CA and key/trust stores but instead of creating .p12 files for clients, I've used the "SETTING UP YOUR WEB SERVER" section to create a keystore for each client that I need to authenticate.

The server-side code is trivial and should return the name of the authenticated user:

import javax.annotation.Resource;
import javax.jws.WebMethod;
import javax.jws.WebService;
import javax.xml.ws.WebServiceContext;

@WebService()
public class ListProducts {

  @Resource WebServiceContext context;

  @WebMethod(operationName = "listProducts")
  public String listProducts() {
    return context.getUserPrincipal().toString();
  }
}

Whilst the client code looks like:

  System.getProperties().setProperty("javax.net.trustStore", "C:\\NetBeansProjects\\security-client\\client.jks");
  System.getProperties().setProperty("javax.net.trustStorePassword", "changeit");
  System.getProperties().setProperty("javax.net.keyStore", "C:\\NetBeansProjects\\security-client\\client.jks");
  System.getProperties().setProperty("javax.net.keyStorePassword", "changeit");

  ListProductsService lps = new ListProductsService();
  ListProducts lp = lps.getListProductsPort();

  System.out.println(lp.listProducts());

The security part of my web.xml file looks like this:

<security-constraint>
    <display-name>HTTPS</display-name>
    <web-resource-collection>
        <web-resource-name>All</web-resource-name>
        <description/>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <description>Force HTTPS</description>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<login-config>
    <auth-method>CLIENT-CERT</auth-method>
</login-config>

Just in case it helps, I'm deploying to GlassFish and I've used the Admin Console to set the SSL Network Listener to use SSL3, TLS and Client Authentication and filled in the relevant key store and trust store and set PKIX as the trust algorithm.

The problem is that the output from the client is ANONYMOUS. What I really want is the user info that's printed in the certificate (e.g. CN=Joe Bloggs, OU=Some Org Unit, O=Some Org, L=AnyTown, ST=AnyState, C=US)

Looking through the MessageContext object that is also returned, the other fields seem to be populated correctly so I'm wondering why the security information isn't being captured. I'm confident that there is SSL handshaking going on because when I use the -Djavax.net.debug=ssl,handshake the messages logged seem fine (plus, if I point the client to another keystore it falls over). Any ideas?

Answer 1

I took a different approach and got everything to work (finally). You can see the detail in this answer. The short story is that the authentication I've used in the question is too high level for Java to be able to access it at the Web Service level.