-
1. Re: CLIENT-CERT and authorization rules
tim.penhey Oct 17, 2002 6:16 PM (in response to shorero)If you are writing a custom login module, and you want to get access to the principal and credentials, then you want to create a SecurityAssociationCallback. I think it is in the package org.jboss.security.auth.callback. You can call it by doing the following in the initialize method:
SecurityAssociationCallback sac = new SecurityAssociationCallback();
Callback[] callbacks = {sac};
try {
callbackHandler.handle(callbacks);
principal = sac.getPrincipal();
// add bit to get credentials. it would be something like
// credentials = sac.getCredentials(); and then cast
// it to the certificate class...
log.trace("principal: " + principal);
}
catch (Exception e) {
log.error("callback failed: " , e);
}
where principal is a private Principal object.
Tim -
2. Re: CLIENT-CERT and authorization rules
shorero Oct 18, 2002 9:27 AM (in response to shorero)Thank you very much for the help.
-
3. Re: CLIENT-CERT and authorization rules
shorero Oct 19, 2002 12:33 PM (in response to shorero)OK, I've done some poking around in the code. If I'm following things correctly, turning on CLIENT-CERT causes an instance of class ClientCertAuthenticator to get control at some point -- haven't figured out exactly how this happens, and not sure I care. Class ClientCertAuthenticator calls an instance of interface UserRealm, passing the distinguished name from the cert as the principle and the cert chain as the credential. It appears that class JbossUserRealm is the implementation of UserRealm used to interface Jboss with Jetty. However, the copy of JbossUserRealm that I'm looking at handles only a String credential -- it won't work if the credential object is anything else.
Am I incorrect about the processing flow, or am I going to have to generalize JbossUserRealm to get CLIENT-CERT processing to work correctly?