-
1. Re: Exctract username from client certificate without import
rpa_rio Jun 18, 2005 11:33 AM (in response to rpa_rio)I followed all steps in http://www.jboss.org/wiki/Wiki.jsp?page=SSLSetup.
Here's the JBoss messages:
2005-06-18 11:08:36,572 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] securityDomain=java:/jaas/NexusAcesso
2005-06-18 11:08:36,573 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] found domain: org.jboss.security.plugins.JaasSecurityDomain
2005-06-18 11:08:36,573 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] exit: initialize(Subject, CallbackHandler, Map, Map)
2005-06-18 11:08:36,573 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] enter: login()
2005-06-18 11:08:36,573 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] enter: getAliasAndCert()
2005-06-18 11:08:36,573 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] exit: getAliasAndCert()
2005-06-18 11:08:36,573 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] enter: validateCredentail(String, X509Certificate)
2005-06-18 11:08:36,573 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule]
Supplied Credential: 42b42915
CN=ClientCert, O=nexus, OU=nexus
Existing Credential: No match for alias: CN=ClientCert, O=nexus, OU=nexus, we have aliases [servercert]
2005-06-18 11:08:36,573 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] The supplied certificate DID NOT match the certificate in the keystore.
2005-06-18 11:08:36,573 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] exit: validateCredentail(String, X509Certificate)
2005-06-18 11:08:36,573 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] Bad credential for alias=CN=ClientCert, O=nexus, OU=nexus
2005-06-18 11:08:36,581 INFO [STDOUT] Padded plaintext before ENCRYPTION: len = 1408
I'm using BaseCertLoginModule and AnyVerifier with DataBaseLoginModule. -
2. Re: Exctract username from client certificate without import
rpa_rio Jun 18, 2005 1:32 PM (in response to rpa_rio)Maybe i need to write my own LoginModule or i'm wrong? I only need to verify and extract the username to authenticate in JBoss...
-
3. Re: Exctract username from client certificate without import
rpa_rio Jun 18, 2005 1:42 PM (in response to rpa_rio)I checked this too: http://www.jboss.org/wiki/Wiki.jsp?page=UsingCustomPrincpalsWith,
but i have a lot of users with diferent passwords and in the client certificate i'll only have the username (or i can have password too?). How can i set the password to login sucessfully.
Please, excuse-me, i'm newbie in JAAS with SSL client-certficate. -
4. Re: Exctract username from client certificate without import
rpa_rio Jun 18, 2005 9:09 PM (in response to rpa_rio)Actually tomcat show this error in the browser: 'Cannot authenticate with the provided credentials'.
-
5. Re: Exctract username from client certificate without import
rpa_rio Jun 18, 2005 10:42 PM (in response to rpa_rio)I'm using JBoss 4.0.1sp1
-
6. Re: Exctract username from client certificate without import
rpa_rio Jun 20, 2005 10:15 AM (in response to rpa_rio)This is my login-config.xml
<policy> <application-policy name="NexusAcesso"> <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="required"> <module-option name="password-stacking">useFirstPass</module-option> <module-option name="securityDomain">java:/jaas/NexusAcesso</module-option> <module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option> </login-module> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> <module-option name="dsJndiName">java:/NexusDS</module-option> <module-option name="principalsQuery">SELECT senha FROM usuario WHERE usuario = ?</module-option> <module-option name="rolesQuery">SELECT papel, 'Roles' FROM papelusuario WHERE usuario = ?</module-option> <module-option name="unauthenticatedIdentity">convidado</module-option> </login-module> </application-policy> </policy>
I tried with and without AnyCertVerifier but no sucess. -
7. Re: Exctract username from client certificate without import
rpa_rio Jun 20, 2005 11:06 AM (in response to rpa_rio)I updated to jboss 4.0.2 and the message in the second post dissapeared, but the message in fifth post still appears. I'm using the AnyCertVerifier but i still need to import the client certificate in truststore.
-
8. Re: Exctract username from client certificate without import
rpa_rio Jun 21, 2005 9:50 AM (in response to rpa_rio)Fixed, the correct is DatabaseCertLoginModule instead of BaseCertLoginModule + DatabaseServerLoginModule...