I'm upgrading from version 4.2.3 to 5.1.0 and I'm having trouble getting SSL client authentication and JAAS to work correctly.
My session beans are annotated as:
{code:java}
@Stateless
@SecurityDomain("ClientCertDomain")
@WebContext(
transportGuarantee = "CONFIDENTIAL",
authMethod = "CLIENT-CERT"
){code}
My login-config.xml contains the following entry:
{code:xml}
<application-policy name="ClientCertDomain">
<authentication><login-module code="org.jboss.security.auth.spi.DatabaseCertLoginModule"
flag="sufficient">
<module-option name="securityDomain">ClientCertDomain</module-option>.....
</login-module></authentication>
</application-policy>{code}
Invocations of the web service fail with: faultString: (401)Unauthorized
The logs indicate that the security domain specified in the stateless session bean is "".
{noformat}Application Policy not obtained for domain=. Trying to obtain the App policy for the default domain of the layer:WEB{noformat}
This is apparently related to this bug: https://jira.jboss.org/jira/browse/JBAS-7037
However, I cannot get the workaround to work.
Is the best course of action to attempt to update the jars in the JBoss 5.1.0 distribution?
Or is there another/better way to configure client cert based authorization?
(We can't use WS-Security yet, our clients don't support it.)