First off, see my comments at http://www.jboss.com/index.html?module=bb&op=viewtopic&t=86289.
SSL vs. CLIENT-CERT authentication are two separate issues.
That said, we would need to see some trace logging of JBoss security at the point when a user attempts to access secured resource to see what is going on.
thanks for the link, that clarified a little.
Now I'm wondering - where do I put the certificates (server ones - server.keystore file)? Do I bundle them with the web application or put it in the conf directory (I tried both, with the same effect).
I'm not sure also what does "The localhost.keystore would need this cert stored with an alias of CN=unit-tests-client, OU=JBoss Inc., O=JBoss Inc., ST=Washington, C=US and the jmx-console-roles.properties would also need an entry for the same entry." mean - from the manual - should I import the client certifiacte to server.keystore?
Finally, how do you enable trace logging of JBoss Security? I tried adding to log4j.xml:
<category name="org.jboss.security.auth.spi"> <priority value="TRACE"/> </category>
but that didn't help :)
I have read the three pages (the first two I have already read before), but they didn't bring any help. I added
<category name="org.jboss.security"> <priority value="TRACE" class="org.jboss.logging.XLevel"/> </category>
to log4j.xml but still I don't see any logging. Also, I noticed that when I invoke my servlet through https I get "HTTP Status 401 - Cannot authenticate with the provided credentials", and when I invoke it through http I get "HTTP Status 400 - No client certificate chain in this request". I'm still not sure what certificates should be where - files, that is. I assume that server.keystore should contain both server and authorized clients certificates? And that file should be in /serfer/all/conf?