3 Replies Latest reply on Jul 2, 2012 5:43 AM by pratik.pai

    BaseCertLoginModule and UsersRolesLoginModule

    maheshkudva

      Hi

      I am running JBoss 4.0.3. Trying to have Client Certificate authentication, here are the configs and steps that I followed

      jboss-service.xml
      ---------------------

      <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
       name="jboss.security:service=SecurityDomain">
       <constructor>
       <arg type="java.lang.String" value="webapp"/>
       </constructor>
       <attribute name="KeyStoreURL">${jboss.server.home.dir}/.keystore</attribute>
       <attribute name="KeyStorePass">changeit</attribute>
       <depends>jboss.security:service=JaasSecurityManager</depends>
       </mbean>
      


      webapp.war/WEB-INF/web.xml:
      ----------------------------------------
       <security-constraint>
       <web-resource-collection>
       <web-resource-name>webapp</web-resource-name>
       <url-pattern>/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
       <role-name>user</role-name>
       </auth-constraint>
       </security-constraint>
      
       <login-config>
       <auth-method>CLIENT-CERT</auth-method>
       <realm-name>Web Application</realm-name>
       </login-config>
      
       <security-role>
       <role-name>user</role-name>
       </security-role>
      </web-app>
      


      webapp.war/WEB-INF/jboss-web.xml:
      -------------------------------------------
      <jboss-web>
       <security-domain>java:/jaas/webapp</security-domain>
      </jboss-web>
      


      conf/login-config.xml
      ------------------------
       <application-policy name = "webapp">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule"
       flag = "required">
       <module-option name="password-stacking">useFirstPass</module-option>
       <module-option name="securityDomain">java:/jaas/webapp</module-option>
       </login-module>
       <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
       flag = "required">
       <module-option name="password-stacking">useFirstPass</module-option>
       <module-option name="rolesProperties">webapp-roles.properties</module-option>
       </login-module>
       </authentication>
       </application-policy>
      


      conf/webapp-roles.properties
      ---------------------------------
      CN\=measclient,\ OU\=client,\ O\=client,\ ST\=Washington,\ C\=US=user
      admin=user
      


      Import the client certificate as alias
      -----------------------------------------
      keytool -import -alias "CN=measclient, OU=client, O=client, ST=Washington, C=US" -file measclient.x509 -truastcacerts
      


      Also I have imported the signer of the certificate--> CA generated usign the CA.pl utility

      The log file:
      -------------
      2005-12-13 20:14:04,743 WARN [org.apache.coyote.http11.Http11Processor] Exception getting SSL Cert
      java.net.SocketException: Socket Closed
       at java.net.PlainSocketImpl.setOption(PlainSocketImpl.java:177)
       at java.net.Socket.setSoTimeout(Socket.java:924)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setSoTimeout(DashoA6275)
       at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:98)
       at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:66)
       at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:120)
       at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1106)
       at org.apache.coyote.Request.action(Request.java:363)
       at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:134)
       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:446)
       at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
       at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
       at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
       at java.lang.Thread.run(Thread.java:552)
      2005-12-13 20:14:06,052 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] Bad credential for alias=CN=admin, OU=SAD, O=Robosoft, L=Udp, ST=Kar, C=IN
      2005-12-13 20:14:06,083 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[admin, CN=admin, OU=SAD, O=Robosoft, L=Udp, ST=Kar, C=IN]
      2005-12-13 20:14:06,097 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[admin]
      2005-12-13 20:14:06,101 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Bad password for username=CN=admin, OU=SAD, O=Robosoft, L=Udp, ST=Kar, C=IN
      



      Any inputs ?? How do I get this working..

        • 1. Re: BaseCertLoginModule and UsersRolesLoginModule
          maheshkudva

          Sorry there is some correction in the log file
          ----------

          2005-12-13 20:14:04,743 WARN [org.apache.coyote.http11.Http11Processor] Exception getting SSL Cert
          java.net.SocketException: Socket Closed
           at java.net.PlainSocketImpl.setOption(PlainSocketImpl.java:177)
           at java.net.Socket.setSoTimeout(Socket.java:924)
           at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setSoTimeout(DashoA6275)
           at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:98)
          
           at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:66)
           at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:120)
          
           at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1106)
           at org.apache.coyote.Request.action(Request.java:363)
           at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:134
          )
           at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:446)
           at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
           at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
           at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
           at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
           at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
           at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
           at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11P
          rotocol.java:744)
           at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
           at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
           at java.lang.Thread.run(Thread.java:552)
          2005-12-13 20:14:06,052 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] Bad credential for alias=CN=measclient, OU=client, O=client, ST=Washington, C=US
          2005-12-13 20:14:06,083 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[user, CN=measclient, OU=client, O=client, ST=Washington, C=US]
          2005-12-13 20:14:06,097 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[user]
          2005-12-13 20:14:06,101 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Bad password for username=CN=measclient, OU=client, O=client, ST=Washington, C=US
          


          • 2. Re: BaseCertLoginModule and UsersRolesLoginModule
            maheshkudva

            Hi

            I got it working.

            There had been some problem with the certificates

            Reagrds
            Mahesh

            • 3. Re: BaseCertLoginModule and UsersRolesLoginModule
              pratik.pai

              Hi Mahesh,

               

              Even i am facing the same problem while using BaseCertLoginModule.... The error is somewhat similar to you....

               

              2012-07-02 14:53:09,943 INFO  [STDOUT] (http-192.168.3.94-8080-1) %% Cached client session: [Session-2, SSL_RSA_WITH_RC4_128_MD5]

              2012-07-02 14:53:09,944 INFO  [STDOUT] (http-192.168.3.94-8080-1) http-192.168.3.94-8080-1, WRITE: TLSv1 Application Data, length = 323

              2012-07-02 14:53:09,944 INFO  [STDOUT] (http-192.168.3.94-8443-1) http-192.168.3.94-8443-1, READ: TLSv1 Application Data, length = 323

              2012-07-02 14:53:09,945 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-192.168.3.94-8443-1) Security checking request POST /authquery/status

              2012-07-02 14:53:09,945 DEBUG [org.apache.catalina.realm.RealmBase] (http-192.168.3.94-8443-1)   Checking constraint 'SecurityConstraint[TransactionStatus]' against POST /status --> true

              2012-07-02 14:53:09,945 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-192.168.3.94-8443-1)  Calling hasUserDataPermission()

              2012-07-02 14:53:09,945 DEBUG [org.apache.catalina.realm.RealmBase] (http-192.168.3.94-8443-1)   User data constraint already satisfied

              2012-07-02 14:53:09,950 INFO  [STDOUT] (http-192.168.3.94-8080-1) http-192.168.3.94-8080-1, WRITE: TLSv1 Application Data, length = 270

              2012-07-02 14:53:09,950 INFO  [STDOUT] (http-192.168.3.94-8080-1) http-192.168.3.94-8080-1, WRITE: TLSv1 Application Data, length = 19

              2012-07-02 14:53:09,951 INFO  [STDOUT] (http-192.168.3.94-8080-1) http-192.168.3.94-8080-1, WRITE: TLSv1 Application Data, length = 18

              2012-07-02 14:53:09,984 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-192.168.3.94-8443-1)  Calling authenticate()

              2012-07-02 14:53:09,984 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/authquery]] (http-192.168.3.94-8443-1)  Looking up certificates

              2012-07-02 14:53:09,994 DEBUG [org.jboss.security.auth.spi.DatabaseCertLoginModule] (http-192.168.3.94-8443-1) Bad credential for alias=CN=Maurizio Nagni, OU=BADC, O=STFC, L=Harwell, ST=Oxfordshire, C=UK

              2012-07-02 14:53:09,994 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/authquery]] (http-192.168.3.94-8443-1)   Realm.authenticate() returned false

              2012-07-02 14:53:09,994 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-192.168.3.94-8443-1)  Failed authenticate() test

              2012-07-02 14:53:09,996 INFO  [STDOUT] (http-192.168.3.94-8443-1) http-192.168.3.94-8443-1, WRITE: TLSv1 Application Data, length = 1267

              2012-07-02 14:53:09,996 INFO  [STDOUT] (http-192.168.3.94-8443-1) http-192.168.3.94-8443-1, READ: TLSv1 Application Data, length = 270

              2012-07-02 14:53:09,996 INFO  [STDOUT] (http-192.168.3.94-8080-1) http-192.168.3.94-8080-1, READ: TLSv1 Application Data, length = 1267

              2012-07-02 14:53:09,996 INFO  [STDOUT] (http-192.168.3.94-8443-1) http-192.168.3.94-8443-1, READ: TLSv1 Application Data, length = 19

              2012-07-02 14:53:09,996 INFO  [STDOUT] (http-192.168.3.94-8443-1) http-192.168.3.94-8443-1, READ: TLSv1 Application Data, length = 18

              2012-07-02 14:53:09,998 INFO  [STDOUT] (http-192.168.3.94-8080-1) http-192.168.3.94-8080-1, called close()

              2012-07-02 14:53:09,998 INFO  [STDOUT] (http-192.168.3.94-8080-1) http-192.168.3.94-8080-1, called closeInternal(true)

              2012-07-02 14:53:09,998 INFO  [STDOUT] (http-192.168.3.94-8080-1) http-192.168.3.94-8080-1

               

              Would be great if you help me with this...Thanks in advance..

               

              Regards,

              Pratik Pai.