I'm trying to setup Hudson in an environment where all the users use certificates. I looked around the archives here, on nabble, and on google, but if this is documented somewhere, i think I'm missing it. I'm sure part of the answer to this will be related to Hudson, and some will be specific to my servlet container.
Under Security, I set the Security Realm to "Delegate to servlet container", and I've set the Authorizatin to "Matrix-based security". I have Hudson deployed in Glassfish. I believe that Hudson has the Anonymous group and the Authorized group (though I don't see much documentation about the latter).
My end goal is to have a user come in with a certificate signed by our CA. The user goes to any hudson page and is automatically logged. Their login name is their email as specified in the alt-names section of the cert, not the DN (but getting DN to work would be a good start). The user would have any privileges specified for the Authorized group, but no privileges on specific projects. For each project, individuals could be added and given more permissions using their email address, since thats their login name.
I don't care if people who come in without a certificate end up in the Anonymous group or are completely rejected.
What part of this is Hudson and what part is Glassfish? I assume I'll have to setup some kind of ServletFilter in Glassfish that extracts the email address and does something with it... but what is Hudson expecting to be in the request in order for it to be a valid login? Do I need to add some kind of security constraint to Hudson's web.xml?
Finally, would this be the same in Tomcat? I want to use Glassfish, but Nexus seems to have problems with it.
Edit:
This is being worked on in the Hudson Nabble forum: http://www.nabble.com/How-to-login-to-Hudson-with-a-certificate-td22826800.html
And in the Glassfish forum: http://forums.java.net/jive/thread.jspa?threadID=59925&tstart=0
I'll post again here when we solve it.