UsersRolesLoginModule AND CLIENT-CERT (desperately)
skyfalke May 26, 2004 2:10 AMHello there.
I wonder what happened to my topic that I posted yesterday (25.)!?!
But that is not the major problem I am struggling with. The past days I made several desperate efforts to use mutual authentication via certificates.
The SSL handshake works so far - no problem here. But I need to use the content of the client-certificate which is sent to the server for more specific authorization with role-based information from property files (UsersRolesLoginModule).
Here are some snippets of the current project:
- the connector in the jboss-service.xml of the built-in Tomcat:
<Connector className = "org.apache.coyote.tomcat4.CoyoteConnector" address="${jboss.bind.address}" port = "8443" scheme = "https" secure = "true"> <Factory className = "org.apache.coyote.tomcat4.CoyoteServerSocketFactory" keystoreFile=".../server.ks" keystorePass="keystorepass" clientAuth="true" protocol = "TLS"/> </Connector>
As you see the attribute "clientAuth" is set to "true".
- the application 's deployment descriptor (web.xml):
<user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> <realm-name>Default</realm-name> </login-config>
The web module itself should use client-certificate-based authentication for the resources specified in the security-constraint element.
I use the UsersRolesLoginModule which is declared in conf/login-config.xml. And I suppose that the problem starts right there.
What I try to do is using client-cerificates combined with security-roles. Therefore I specifiy usernames and the associated roles within users.properties and roles.properties, respectively. But I am not sure how to name the users?
-> My first try was to use the "common name" of the certificate (e.g. "client1").
-> Secondly I tried the complete "distinguished name" (e.g. "cn\=client1,ou\=org_unit,o\=org,l\=city,st\=state,c\=de")
As you can easily guess neither the first nor the second attempt was successful.
Maybe the UsersRolesLoginModule is not capable of extracting data from the certificate. What about the database login module if property files cannot be used?
The internet does not seem to have an answer for this problem. ;o( So please help...
A huge THX in advance
Matthias Falkenberg aka skyfalke.