CertRolesLoginModule cannot find the good SecurityDomain
Within a "client" session bean which should access a "server" secured session bean by certificate, while creating the LoginContext, CertRolesLoginModule.initialize cannot get the good JNDI securityDomain path (which works using a fat client and a var -Djava.security.auth.login.config=C:\jboss\server\default\conf\jaas.config)
default java:/jass/other is taken instead of java/jaas/secureDomain (defined in login-config.xml) and bind to the securityDomain defined in jboss-services.xml
LoginContext lc = null;
UsernamePasswordHandler handler = new UsernamePasswordHandler("test", "test".toCharArray());
//not better with a file path
System.setProperty("java.security.auth.login.config", "http://localhost:8080/jaas.config");
try{
lc = new LoginContext(CONTEXT, handler);
lc.login();
}
catch(javax.security.auth.login.LoginException ex)
{
ex.printStackTrace();
}
<application-policy name= "secureDomain"> <authentication> <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="required"> <module-option name="password-stacking">useFirstPass</module-option> <module-option name="securityDomain">java:/jaas/secureDomain</module-option> <module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option> </login-module> <login-module code="org.jboss.security.auth.spi.CertRolesLoginModule" flag = "required"> <module-option name="rolesProperties">secureDomain-roles.properties</module-option> <module-option name="roleGroupSeperator">.</module-option> <module-option name="defaultRolesProperties">secureDomain-defaultRoles.properties</module-option> </login-module> </authentication> </application-policy>
jaas.config
secureDomain {
org.jboss.security.auth.spi.CertRolesLoginModule required
debug=true
securityDomain="java:/jaas/secureDomain"
java.naming.factory.initial="org.jnp.interfaces.NamingContextFactory"
java.naming.provider.url="localhost:1099";
};
Stacktrace
15:44:28,105 WARN [BaseCertLoginModule] Don't know how to obtain X509Certificate from: class [C 15:44:28,105 ERROR [CertRolesLoginModule] The domain java:/jaas/other is not a SecurityDomain. All authentication using this module will fail! 15:44:28,125 WARN [CertRolesLoginModule] Don't know how to obtain X509Certificate from: class [C 15:44:28,125 INFO [STDOUT] javax.security.auth.login.LoginException: Don't know how to obtain X509Certificate from: class [C 15:44:28,125 INFO [STDOUT] at org.jboss.security.auth.spi.BaseCertLoginModule.getAliasAndCert(BaseCertLoginModule.java:302) 15:44:28,125 INFO [STDOUT] at org.jboss.security.auth.spi.BaseCertLoginModule.login(BaseCertLoginModule.java:179) 15:44:28,125 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 15:44:28,125 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 15:44:28,125 INFO [STDOUT] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 15:44:28,125 INFO [STDOUT] at java.lang.reflect.Method.invoke(Method.java:585) 15:44:28,125 INFO [STDOUT] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) 15:44:28,125 INFO [STDOUT] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) 15:44:28,125 INFO [STDOUT] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) 15:44:28,125 INFO [STDOUT] at java.security.AccessController.doPrivileged(Native Method) 15:44:28,125 INFO [STDOUT] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) 15:44:28,125 INFO [STDOUT] at javax.security.auth.login.LoginContext.login(LoginContext.java:579) 15:44:28,125 INFO [STDOUT] at com.slb.secure.client.SecureClientSessionBean.callSecureClient(SecureClientSessionBean.java:57) 15:44:28,125 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 15:44:28,125 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 15:44:28,125 INFO [STDOUT] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 15:44:28,125 INFO [STDOUT] at java.lang.reflect.Method.invoke(Method.java:585) 15:44:28,125 INFO [STDOUT] at org.jboss.invocation.Invocation.performCall(Invocation.java:345) 15:44:28,135 INFO [STDOUT] at org.jboss.ejb.StatelessSessionContainer$ContainerInterceptor.invoke(StatelessSessionContainer.java:214) 15:44:28,135 INFO [STDOUT] at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:149) 15:44:28,135 INFO [STDOUT] at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke(StatelessSessionInstanceInterceptor.java:154) 15:44:28,135 INFO [STDOUT] at org.jboss.webservice.server.ServiceEndpointInterceptor.invoke(ServiceEndpointInterceptor.java:54) 15:44:28,135 INFO [STDOUT] at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidationInterceptor.java:48) 15:44:28,135 INFO [STDOUT] at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:106) 15:44:28,135 INFO [STDOUT] at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:335) 15:44:28,135 INFO [STDOUT] at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:166) 15:44:28,135 INFO [STDOUT] at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:153) 15:44:28,135 INFO [STDOUT] at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:192) 15:44:28,135 INFO [STDOUT] at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:122) 15:44:28,135 INFO [STDOUT] at org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:624) 15:44:28,135 INFO [STDOUT] at org.jboss.ejb.Container.invoke(Container.java:873) 15:44:28,135 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 15:44:28,135 INFO [STDOUT] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 15:44:28,135 INFO [STDOUT] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 15:44:28,135 INFO [STDOUT] at java.lang.reflect.Method.invoke(Method.java:585) 15:44:28,135 INFO [STDOUT] at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141) 15:44:28,135 INFO [STDOUT] at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80) 15:44:28,135 INFO [STDOUT] at org.jboss.mx.server.Invocation.invoke(Invocation.java:72) 15:44:28,135 INFO [STDOUT] at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:245) 15:44:28,135 INFO [STDOUT] at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644) 15:44:28,135 INFO [STDOUT] at org.jboss.invocation.local.LocalInvoker$MBeanServerAction.invoke(LocalInvoker.java:155) 15:44:28,135 INFO [STDOUT] at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:104) 15:44:28,135 INFO [STDOUT] at org.jboss.invocation.InvokerInterceptor.invokeLocal(InvokerInterceptor.java:179) 15:44:28,135 INFO [STDOUT] at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:165) 15:44:28,135 INFO [STDOUT] at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:46) 15:44:28,135 INFO [STDOUT] at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:55) 15:44:28,135 INFO [STDOUT] at org.jboss.proxy.ejb.StatelessSessionInterceptor.invoke(StatelessSessionInterceptor.java:97) 15:44:28,135 INFO [STDOUT] at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:86) 15:44:28,135 INFO [STDOUT] at $Proxy55.callSecureClient(Unknown Source) 15:44:28,135 INFO [STDOUT] at org.apache.jsp.gateway_jsp._jspService(org.apache.jsp.gateway_jsp:95) 15:44:28,135 INFO [STDOUT] at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97) 15:44:28,135 INFO [STDOUT] at javax.servlet.http.HttpServlet.service(HttpServlet.java:810) 15:44:28,135 INFO [STDOUT] at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:322) 15:44:28,135 INFO [STDOUT] at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314) 15:44:28,135 INFO [STDOUT] at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264) 15:44:28,135 INFO [STDOUT] at javax.servlet.http.HttpServlet.service(HttpServlet.java:810) 15:44:28,135 INFO [STDOUT] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252) 15:44:28,135 INFO [STDOUT] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) 15:44:28,135 INFO [STDOUT] at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81) 15:44:28,135 INFO [STDOUT] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) 15:44:28,135 INFO [STDOUT] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) 15:44:28,135 INFO [STDOUT] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) 15:44:28,135 INFO [STDOUT] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) 15:44:28,135 INFO [STDOUT] at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39) 15:44:28,135 INFO [STDOUT] at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:159) 15:44:28,135 INFO [STDOUT] at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59) 15:44:28,145 INFO [STDOUT] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) 15:44:28,145 INFO [STDOUT] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) 15:44:28,145 INFO [STDOUT] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) 15:44:28,145 INFO [STDOUT] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) 15:44:28,145 INFO [STDOUT] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) 15:44:28,145 INFO [STDOUT] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744) 15:44:28,145 INFO [STDOUT] at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527) 15:44:28,145 INFO [STDOUT] at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112) 15:44:28,145 INFO [STDOUT] at java.lang.Thread.run(Thread.java:595)
<application-policy name= "secureDomain"> <authentication> <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="required"> <module-option name="password-stacking">useFirstPass</module-option> <module-option name="securityDomain">java:/jaas/secureDomain</module-option> <module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option> <!-- <module-option name="verifier">com.slb.secure.CustomCertVerifier</module-option> --> </login-module> <login-module code="org.jboss.security.auth.spi.CertRolesLoginModule" flag = "required"> <module-option name="rolesProperties">secureDomain-roles.properties</module-option> <module-option name="roleGroupSeperator">.</module-option> <module-option name="defaultRolesProperties">secureDomain-defaultRoles.properties</module-option> </login-module> </authentication> </application-policy>
If anybody has an idea of how to get the good domain...
thx
