-
1. Re: user always successfully authenticated with CLIENT-CERT
jarno Nov 27, 2003 3:14 PM (in response to sbrunot)I've seen the same problem although in another authentication mode. The reason was that the security-domain wasn't specified in the jboss-web.xml.
It seemed quite a weird behaviour as it should default to the "other" login-context, shouldn't it? -
2. Re: user always successfully authenticated with CLIENT-CERT
jarno Nov 28, 2003 1:58 AM (in response to sbrunot)I checked it from the sources to give a more precise explanation. The web application will be linked to NullSecurityManager in org.jboss.web.AbstractWebContainer#linkSecurityDomain(String, Context) if the security-domain is not specified. NullSecurityManager allows login with any credentials and always returns true from doesUserHaveRole().
I'd rather see AbstractWebContainer define the default security-domain as java:/jaas/[realm] where [realm] would be the realm specified in web.xml. Additionally, i'd like to see the JBoss default configuration associate the login-context "other" to NoneShallPassLoginModule. This would reduce the risk of having a misconfiguration that would allow anyone access to confidental data. -
3. Re: user always successfully authenticated with CLIENT-CERT
sbrunot Nov 28, 2003 3:03 AM (in response to sbrunot)Hi, and thanks for your help...
Here is an extract from my login-config.xml (entire file attached with this post) :
<!-- Configuration for ApacheClientCert web app -->
<application-policy name = "clientCert">
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />
</application-policy>
And here is the content of my jboss-web.xml :
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<!-- use of the "testCert" security domain -->
<security-domain>java:/jaas/clientCert</security-domain>
</jboss-web>
Do you see any problem ? -
4. Re: user always successfully authenticated with CLIENT-CERT
didi1976 Dec 2, 2003 10:14 AM (in response to sbrunot)Hi,
I have written my own LoginModule which checks the Certificate. I am not using an Apache in front of my JBoss.
The CN of the certificate is used to generate a SimplePrincipal.
I have only tested it with JBoss 3.2.1 and there it does the job for me.
Hope that help,
Didi -
5. Re: user always successfully authenticated with CLIENT-CERT
jarno Dec 2, 2003 12:36 PM (in response to sbrunot)The problem has already been solved. The jboss-web.xml was in the wrong directory and therefore the NullSecurityManager was used.