3 Replies Latest reply on Oct 19, 2007 3:48 PM by anil.saldhana

    mapping principals with digital certificates

    oconesa

      We have configured JAAS to authenticate users using digital certificates and roles stored in a database. It work fine, but we have a problem with the "Principal".

      By default, when you use a digital certificate in JAAS, the Principal is the "DN:Distinguished Name" of the user certificate. But we want to map this Principal with another more simple like "user1", because the DN is a long text.

      In the login-config.xml we use:

      <application-policy name = "app1">

      <login-module code = "org.jboss.security.auth.spi.DatabaseCertLoginModule"
      flag = "required">
      <module-option name = "password-stacking">useFirstPass</module-option>
      <module-option name = "securityDomain">java:/jaas/jmx-console</module-option>
      <module-option name = "verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option>
      <module-option name = "dsJndiName">java:/MySqlDS</module-option>
      <module-option name = "rolesQuery">SELECT Role, 'Roles' FROM Roles WHERE ID=?</module-option>
      </login-module>

      </application-policy>

        • 1. Re: mapping principals with digital certificates
          anil.saldhana

           

           <!-- The JAAS based authentication and authorization realm implementati
          on
           that is compatible with the jboss 3.2.x realm implementation.
           - certificatePrincipal : the class name of the
           org.jboss.security.auth.certs.CertificatePrincipal impl
           used for mapping X509[] cert chains to a Princpal.
           - allRolesMode : how to handle an auth-constraint with a role-name=*,
           one of strict, authOnly, strictAuthOnly
           + strict = Use the strict servlet spec interpretation which requires
           that the user have one of the web-app/security-role/role-name
           + authOnly = Allow any authenticated user
           + strictAuthOnly = Allow any authenticated user only if there are no
           web-app/security-roles
           -->
           <Realm className="org.jboss.web.tomcat.security.JBossSecurityMgrRealm"
           certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping
          "
           allRolesMode="authOnly"
           />
          


          server.xml - Realm

          I think you need an implementation of CertificatePrincipal

          • 2. Re: mapping principals with digital certificates
            oconesa

            thanks, I supposed that the solution is realted to "CertificatePrincipal" and RealMap. But I am looking for an example how to map a CN or a DN with a login name.

            For example:
            DN="CN=John Smith, O=IBM, C=US", and I need that "Principal = jsmith".

            My really problem is that the DN of my users are really complex.

            • 3. Re: mapping principals with digital certificates
              anil.saldhana

              You will need to provide an implementation of the CertificatePrincipal interface.