Advanced Groups Configuration
Payara Server allows the advanced configuration mapping of a client certificate’s distinguished name (DN) to specific realm groups, which allows the realm to automatically assign groups based on the values of each DN part to all principals registered in the realm.
This feature can be configured by using the dn-parts-used-for-groups
property of any security realm of type com.sun.enterprise.security.auth.realm.certificate.CertificateRealm
. It must define a comma separated list of identifiers of DN parts, i.e. EMAILADDRESS,DC,OU
,
and it is empty by default.
The default empty value means that only content of the assign-groups property value will be used as the list of assigned groups.
|
If both properties are set, a principal who completed the certificate validation will have all groups from both assign-groups
settings.
Not all DN parts are supported. The following is the list of all parts that are supported, categorized by their OIDs:
DN Part | Description | Object ID |
---|---|---|
CN |
Common Name |
2.5.4.3 |
SURNAME |
Surname |
2.5.4.4 |
SERIALNUMBER |
Serial Number of the certificate |
2.5.4.5 |
C |
Country |
2.5.4.6 |
L |
Locality |
2.5.4.7 |
ST |
State |
2.5.4.8 |
STREET |
Street |
2.5.4.9 |
O |
Organisation |
2.5.4.10 |
OU |
Organisation Unit |
2.5.4.11 |
T |
Title |
2.5.4.12 |
GIVENNAME |
Given Name |
2.5.4.42 |
INITIALS |
Initials |
2.5.4.43 |
GENERATION |
Generation |
2.5.4.44 |
DNQUALIFIER |
DN Qualifier |
2.5.4.46 |
UID |
User ID |
0.9.2342.19200300.100.1.1 |
DC |
Domain Component |
0.9.2342.19200300.100.1.25 |
EMAILADDRESS |
E-Mail address |
1.2.840.113549.1.9.1 |
IP |
IP Address |
1.3.6.1.4.1.42.2.11.2.1 |
Payara Server Configuration
Using the Admin Console
This feature can be configured on the default certificate realm with the following steps:
-
Navigate to the applicable configuration page for your use (e.g.
server-config
) under theConfigurations
option in the side menu -
Head to
Security
→Realms
and select thecertificate
realm -
Click the
Add Property
button -
Set the property Name to be
dn-parts-used-for-groups
and set the Value to a comma separated list of OID names.
Using the Asadmin CLI
You can also use the following asadmin command to set the value of the property in the security realm:
asadmin> set configs.config.${YOUR_INSTANCE_CONFIG}.security-service.auth-realm.certificate.property.dn-parts-used-for-groups=EMAILADDRESS,DC,OU
After setting the value of the property, make sure that you restart the server instance for the changes to take effect. |
Keep in mind that the set of DN parts used to configure the realm groups must be predictable to be useful, so be careful to use DN parts that do not create group name collisions. |
Mapping Groups to Security Roles in Applications
After configuring the realm groups, you can map these groups to application roles as you’d do by using the Payara Server specific deployment descriptors. You can even map these roles to principals that are configured as documented in the advanced Principal Name configuration section.
Here’s a quick summary of the authentication and authorization process would work in this scenario:
-
The principal receives principal name as configured (whole DN or only CN part)
-
The principal receives all groups from realm’s
assign-groups
list -
The principal receives all groups from certificate’s DN parts listed in
dn-parts-used-for-groups
realm property (limited to those listed in table) -
The server allows the principal to access the application
-
The client receives all roles from application’s security role mapping, where at least one of his principal names or groups matches their respective element.
-
The security roles are then used for authorization to access application resources
For example, if user roles were mapped like this in the payara-web.xml
deployment descriptor of an application and we
enabled using CN
as a principal name and set the dn-parts-used-for-groups
to OU
:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE payara-web-app PUBLIC "-//Payara.fish//DTD Payara Server 4 Servlet 3.0//EN" "{payaraWebDtd}">
<payara-web-app error-url="">
<context-root>/health-services</context-root>
<security-role-mapping>
<role-name>role1</role-name>
<principal-name>C=UK, S=lak, L=zak, OU=unitA, CN=foo1</principal-name>
<principal-name>C=UK, S=lak, L=zak, OU=unitA, CN=foo2</principal-name>
<principal-name>C=UK, S=lak, L=zak, OU=unitC, CN=foo4</principal-name>
<principal-name>C=UK, S=lak, L=zak, OU=unitD, CN=foo-director</principal-name>
</security-role-mapping>
<security-role-mapping>
<role-name>role2</role-name>
<principal-name>C=UK, S=lak, L=zak, OU=unitB, CN=foo3</principal-name>
<principal-name>C=UK, S=lak, L=zak, OU=unitD, CN=foo-director</principal-name>
</security-role-mapping>
</payara-web-app>
Then the role mapping can be based on organizational unit in this case. But you can still use the principal name as in any normal case:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE payara-web-app PUBLIC "-//Payara.fish//DTD Payara Server 4 Servlet 3.0//EN" "{payaraWebDtd}">
<payara-web-app error-url="">
<context-root>/health-services</context-root>
<security-role-mapping>
<role-name>role1</role-name>
<group-name>unitA</group-name>
<group-name>unitC</group-name>
<group-name>unitD</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>role2</role-name>
<group-name>unitB</group-name>
<principal-name>foo-director</principal-name>
</security-role-mapping>
</payara-web-app>