2 Replies Latest reply on Jun 1, 2008 5:56 AM by borgman.martin

Combining BaseCertLoginModule with LdapExtLoginModule doesn'

borgman.martin May 31, 2008 9:28 AM

On the following wiki page http://wiki.jboss.org/wiki/BaseCertLoginModule you'll find the following example:

<application-policy name = "jmx-console">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule"
 flag = "required">
 <module-option name="password-stacking">useFirstPass</module-option>
 <module-option name="securityDomain">java:/jaas/jmx-console</module-option>
 </login-module>
 <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
 flag = "required">
 <module-option name="password-stacking">useFirstPass</module-option>
 <module-option name="usersProperties">jmx-console-users.properties</module-option>
 <module-option name="rolesProperties">jmx-console-roles.properties</module-option>
 </login-module>
 </authentication>
 </application-policy>

As the text states, the user is authenticate using his certificate and the rest if his principal object is populated by the UserRolseLoginModule (the UserRolesLoginModule adds the authenticated users roles).

This trick unfortunately doesn't work with the LdapExtLoginModule. The user is properly authenticated by the BaseCertLoginModule and because of that the LdapExtLoginModule returns successful without adding the users roles.

This is inconsistent.

1. Re: Combining BaseCertLoginModule with LdapExtLoginModule do

anil.saldhana May 31, 2008 9:41 PM (in response to borgman.martin)

http://jira.jboss.org/jira/browse/SECURITY-225

We will investigate and fix asap.
Actions
2. Re: Combining BaseCertLoginModule with LdapExtLoginModule do

borgman.martin Jun 1, 2008 5:56 AM (in response to borgman.martin)

At the moment we worked around this issue by hacking together a CertLdapExtLoginModule. To me this has always been an important but missing module.
Actions

Go to original post