5 Replies Latest reply on Dec 2, 2003 12:36 PM by jarno

user always successfully authenticated with CLIENT-CERT

sbrunot Nov 26, 2003 2:36 PM

Hi,

I'm using apache 2.0.48 with mod_ssl and mod_jk2 in front of jboss 3.2.2 (i'm using the tomcat embeded servlet container with Coyote JK connector).

apache is handling the ssl communication with the client, which provide an X509 certificate. I can see in my web app that the certificate is correctly transmitted to jboss as i can access it in the request.

When i set my web app client authentication mode to be CLIENT-CERT, my client is automatically authenticated (whatever the LoginModule is), and a isUserInRole() on any role (event a role that is not declared in web.xml) always returns true (!).

Anyone got the same problem ? Is this a bug ?

1. Re: user always successfully authenticated with CLIENT-CERT

jarno Nov 27, 2003 3:14 PM (in response to sbrunot)

I've seen the same problem although in another authentication mode. The reason was that the security-domain wasn't specified in the jboss-web.xml.

It seemed quite a weird behaviour as it should default to the "other" login-context, shouldn't it?
Actions
2. Re: user always successfully authenticated with CLIENT-CERT

jarno Nov 28, 2003 1:58 AM (in response to sbrunot)

I checked it from the sources to give a more precise explanation. The web application will be linked to NullSecurityManager in org.jboss.web.AbstractWebContainer#linkSecurityDomain(String, Context) if the security-domain is not specified. NullSecurityManager allows login with any credentials and always returns true from doesUserHaveRole().

I'd rather see AbstractWebContainer define the default security-domain as java:/jaas/[realm] where [realm] would be the realm specified in web.xml. Additionally, i'd like to see the JBoss default configuration associate the login-context "other" to NoneShallPassLoginModule. This would reduce the risk of having a misconfiguration that would allow anyone access to confidental data.
Actions
3. Re: user always successfully authenticated with CLIENT-CERT

sbrunot Nov 28, 2003 3:03 AM (in response to sbrunot)

Hi, and thanks for your help...

Here is an extract from my login-config.xml (entire file attached with this post) :


<application-policy name = "clientCert">

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />

</application-policy>

And here is the content of my jboss-web.xml :

<?xml version="1.0" encoding="UTF-8"?>

<jboss-web>

<security-domain>java:/jaas/clientCert</security-domain>
</jboss-web>

Do you see any problem ?
Actions
4. Re: user always successfully authenticated with CLIENT-CERT

didi1976 Dec 2, 2003 10:14 AM (in response to sbrunot)

Hi,

I have written my own LoginModule which checks the Certificate. I am not using an Apache in front of my JBoss.

The CN of the certificate is used to generate a SimplePrincipal.

I have only tested it with JBoss 3.2.1 and there it does the job for me.

Hope that help,
Didi
Actions
5. Re: user always successfully authenticated with CLIENT-CERT

jarno Dec 2, 2003 12:36 PM (in response to sbrunot)

The problem has already been solved. The jboss-web.xml was in the wrong directory and therefore the NullSecurityManager was used.
Actions

Go to original post