3 Replies Latest reply on Jul 2, 2012 5:43 AM by pratik.pai

    BaseCertLoginModule and UsersRolesLoginModule

    maheshkudva
    maheshkudva Dec 13, 2005 10:10 AM

      Hi

      I am running JBoss 4.0.3. Trying to have Client Certificate authentication, here are the configs and steps that I followed

      jboss-service.xml
      ---------------------

      <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
 name="jboss.security:service=SecurityDomain">
 <constructor>
 <arg type="java.lang.String" value="webapp"/>
 </constructor>
 <attribute name="KeyStoreURL">${jboss.server.home.dir}/.keystore</attribute>
 <attribute name="KeyStorePass">changeit</attribute>
 <depends>jboss.security:service=JaasSecurityManager</depends>
 </mbean>


      webapp.war/WEB-INF/web.xml:
      ---------------------------------------- 
       <security-constraint>
 <web-resource-collection>
 <web-resource-name>webapp</web-resource-name>
 <url-pattern>/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>user</role-name>
 </auth-constraint>
 </security-constraint>

 <login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>Web Application</realm-name>
 </login-config>

 <security-role>
 <role-name>user</role-name>
 </security-role>
</web-app>


      webapp.war/WEB-INF/jboss-web.xml:
      ------------------------------------------- 
      <jboss-web>
 <security-domain>java:/jaas/webapp</security-domain>
</jboss-web>


      conf/login-config.xml
      ------------------------ 
       <application-policy name = "webapp">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule"
 flag = "required">
 <module-option name="password-stacking">useFirstPass</module-option>
 <module-option name="securityDomain">java:/jaas/webapp</module-option>
 </login-module>
 <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
 flag = "required">
 <module-option name="password-stacking">useFirstPass</module-option>
 <module-option name="rolesProperties">webapp-roles.properties</module-option>
 </login-module>
 </authentication>
 </application-policy>


      conf/webapp-roles.properties
      --------------------------------- 
      CN\=measclient,\ OU\=client,\ O\=client,\ ST\=Washington,\ C\=US=user
admin=user


      Import the client certificate as alias
      ----------------------------------------- 
      keytool -import -alias "CN=measclient, OU=client, O=client, ST=Washington, C=US" -file measclient.x509 -truastcacerts


      Also I have imported the signer of the certificate--> CA generated usign the CA.pl utility

      The log file:
      ------------- 
      2005-12-13 20:14:04,743 WARN [org.apache.coyote.http11.Http11Processor] Exception getting SSL Cert
java.net.SocketException: Socket Closed
 at java.net.PlainSocketImpl.setOption(PlainSocketImpl.java:177)
 at java.net.Socket.setSoTimeout(Socket.java:924)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setSoTimeout(DashoA6275)
 at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:98)
 at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:66)
 at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:120)
 at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1106)
 at org.apache.coyote.Request.action(Request.java:363)
 at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:134)
 at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:446)
 at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
 at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
 at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
 at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
 at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
 at java.lang.Thread.run(Thread.java:552)
2005-12-13 20:14:06,052 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] Bad credential for alias=CN=admin, OU=SAD, O=Robosoft, L=Udp, ST=Kar, C=IN
2005-12-13 20:14:06,083 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[admin, CN=admin, OU=SAD, O=Robosoft, L=Udp, ST=Kar, C=IN]
2005-12-13 20:14:06,097 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[admin]
2005-12-13 20:14:06,101 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Bad password for username=CN=admin, OU=SAD, O=Robosoft, L=Udp, ST=Kar, C=IN



      Any inputs ?? How do I get this working..

      • 2895 Views
      • Tags:
        • 1. Re: BaseCertLoginModule and UsersRolesLoginModule
          maheshkudva
          maheshkudva Dec 13, 2005 10:16 AM (in response to maheshkudva)

          Sorry there is some correction in the log file
          ----------

          2005-12-13 20:14:04,743 WARN [org.apache.coyote.http11.Http11Processor] Exception getting SSL Cert
java.net.SocketException: Socket Closed
 at java.net.PlainSocketImpl.setOption(PlainSocketImpl.java:177)
 at java.net.Socket.setSoTimeout(Socket.java:924)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setSoTimeout(DashoA6275)
 at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:98)

 at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:66)
 at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:120)

 at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1106)
 at org.apache.coyote.Request.action(Request.java:363)
 at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:134
)
 at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:446)
 at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
 at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
 at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11P
rotocol.java:744)
 at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
 at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
 at java.lang.Thread.run(Thread.java:552)
2005-12-13 20:14:06,052 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] Bad credential for alias=CN=measclient, OU=client, O=client, ST=Washington, C=US
2005-12-13 20:14:06,083 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[user, CN=measclient, OU=client, O=client, ST=Washington, C=US]
2005-12-13 20:14:06,097 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[user]
2005-12-13 20:14:06,101 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Bad password for username=CN=measclient, OU=client, O=client, ST=Washington, C=US


            • Actions
          • 2. Re: BaseCertLoginModule and UsersRolesLoginModule
            maheshkudva
            maheshkudva Dec 31, 2005 9:16 AM (in response to maheshkudva)

            Hi

            I got it working.

            There had been some problem with the certificates

            Reagrds
            Mahesh

              • Actions
            • 3. Re: BaseCertLoginModule and UsersRolesLoginModule
              pratik.pai
              pratik.pai Jul 2, 2012 5:43 AM (in response to maheshkudva)

              Hi Mahesh,

               

              Even i am facing the same problem while using BaseCertLoginModule.... The error is somewhat similar to you....

               

              2012-07-02 14:53:09,943 INFO  [STDOUT] (http-192.168.3.94-8080-1) %% Cached client session: [Session-2, SSL_RSA_WITH_RC4_128_MD5]

              2012-07-02 14:53:09,944 INFO  [STDOUT] (http-192.168.3.94-8080-1) http-192.168.3.94-8080-1, WRITE: TLSv1 Application Data, length = 323

              2012-07-02 14:53:09,944 INFO  [STDOUT] (http-192.168.3.94-8443-1) http-192.168.3.94-8443-1, READ: TLSv1 Application Data, length = 323

              2012-07-02 14:53:09,945 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-192.168.3.94-8443-1) Security checking request POST /authquery/status

              2012-07-02 14:53:09,945 DEBUG [org.apache.catalina.realm.RealmBase] (http-192.168.3.94-8443-1)   Checking constraint 'SecurityConstraint[TransactionStatus]' against POST /status --> true

              2012-07-02 14:53:09,945 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-192.168.3.94-8443-1)  Calling hasUserDataPermission()

              2012-07-02 14:53:09,945 DEBUG [org.apache.catalina.realm.RealmBase] (http-192.168.3.94-8443-1)   User data constraint already satisfied

              2012-07-02 14:53:09,950 INFO  [STDOUT] (http-192.168.3.94-8080-1) http-192.168.3.94-8080-1, WRITE: TLSv1 Application Data, length = 270

              2012-07-02 14:53:09,950 INFO  [STDOUT] (http-192.168.3.94-8080-1) http-192.168.3.94-8080-1, WRITE: TLSv1 Application Data, length = 19

              2012-07-02 14:53:09,951 INFO  [STDOUT] (http-192.168.3.94-8080-1) http-192.168.3.94-8080-1, WRITE: TLSv1 Application Data, length = 18

              2012-07-02 14:53:09,984 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-192.168.3.94-8443-1)  Calling authenticate()

              2012-07-02 14:53:09,984 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/authquery]] (http-192.168.3.94-8443-1)  Looking up certificates

              2012-07-02 14:53:09,994 DEBUG [org.jboss.security.auth.spi.DatabaseCertLoginModule] (http-192.168.3.94-8443-1) Bad credential for alias=CN=Maurizio Nagni, OU=BADC, O=STFC, L=Harwell, ST=Oxfordshire, C=UK

              2012-07-02 14:53:09,994 DEBUG [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/authquery]] (http-192.168.3.94-8443-1)   Realm.authenticate() returned false

              2012-07-02 14:53:09,994 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-192.168.3.94-8443-1)  Failed authenticate() test

              2012-07-02 14:53:09,996 INFO  [STDOUT] (http-192.168.3.94-8443-1) http-192.168.3.94-8443-1, WRITE: TLSv1 Application Data, length = 1267

              2012-07-02 14:53:09,996 INFO  [STDOUT] (http-192.168.3.94-8443-1) http-192.168.3.94-8443-1, READ: TLSv1 Application Data, length = 270

              2012-07-02 14:53:09,996 INFO  [STDOUT] (http-192.168.3.94-8080-1) http-192.168.3.94-8080-1, READ: TLSv1 Application Data, length = 1267

              2012-07-02 14:53:09,996 INFO  [STDOUT] (http-192.168.3.94-8443-1) http-192.168.3.94-8443-1, READ: TLSv1 Application Data, length = 19

              2012-07-02 14:53:09,996 INFO  [STDOUT] (http-192.168.3.94-8443-1) http-192.168.3.94-8443-1, READ: TLSv1 Application Data, length = 18

              2012-07-02 14:53:09,998 INFO  [STDOUT] (http-192.168.3.94-8080-1) http-192.168.3.94-8080-1, called close()

              2012-07-02 14:53:09,998 INFO  [STDOUT] (http-192.168.3.94-8080-1) http-192.168.3.94-8080-1, called closeInternal(true)

              2012-07-02 14:53:09,998 INFO  [STDOUT] (http-192.168.3.94-8080-1) http-192.168.3.94-8080-1

               

              Would be great if you help me with this...Thanks in advance..

               

              Regards,

              Pratik Pai.

                • Actions