2 Replies Latest reply on Jan 30, 2012 11:20 AM by rodfb

    Client Certificate Authentication Error

    rodfb

      Hi!

       

      I am using Jboss 6.1.0.

      I have set up jboss to perform SSL client authentication. Up to a point it works fine, the user tries to log in to the application, the server requests a certificate, the user selects it and sends it to the server. The server gets the cert, calls BaseCertLoginModule and after that my class which means he/she is logged in and can perform anything in the application. The user can log in and out several times and the borwser may or may not present the certificates for selection (that's ok). The logout porcess performs a "session.invalidate()".

       

      But if I stop using the application for some minutes, like 10 min., and then try to log in again the BaseCertLoginModule is not even called and the browser shows a "HTTP Status 401 - Cannot authenticate with the provided credentials" message. If that happens, I can log in again only after rebooting the server. At that moment, no log is generated and even if the browser asks the user for choosing a certificate, it doesn't reach the server, apparently.

       

      Does anyone, please, could help me find out why after some time the server doesn't authenticate users anymore?

       

       

      I have configured server.xml:

       

      <Connector port="8443" address="${jboss.bind.address}"

                 protocol="HTTP/1.1" SSLEnabled="true"

                 maxThreads="1000" strategy="ms" maxHttpHeaderSize="8192"

                 emptySessionPath="true"

                 scheme="https" secure="true" clientAuth="false"

                 keystoreFile="${jboss.server.home.dir}/conf/jboss.keystore" keystorePass="123456"

                 truststoreFile="${jboss.server.home.dir}/conf/jboss.truststore" truststorePass="123456"

                 sslProtocol = "TLS"

                 allowUnsafeLegacyRenegotiation="true"

                 allowTrace="true"/>

       

       

      jboss-service.xml:

       

      <mbean code="org.jboss.security.plugins.JaasSecurityDomain" name="jboss.security:service=SecurityDomain">

           <constructor>

                <arg type="java.lang.String" value="sorocaba"/>

           </constructor>

           <attribute name="KeyStoreURL">${jboss.server.home.dir}/conf/jboss.keystore</attribute>

           <attribute name="KeyStorePass">123456</attribute>

       

           <depends>jboss.security:service=JaasSecurityManager</depends>

      </mbean>

       

       

      and login-config.xml:

       

      <application-policy name="sorocaba">

           <authentication>

                <login-module code="br.com.prefeituras.prp.componenteSeguranca.web.frontController.operacao.BaseCertLoginModule" flag="required">

                     <module-option name="securityDomain">java:/jaas/sorocaba</module-option>

                     <module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option>

                </login-module>

           </authentication>

      </application-policy>

       

       

      I have also set up web.xml with a <security-constraint> and

       

      <login-config>

           <auth-method>CLIENT-CERT</auth-method>

      </login-config>

       

       

      Thank you.

        • 1. Re: Client Certificate Authentication Error
          jfclere

          Did you try to restart the browser?

          • 2. Re: Client Certificate Authentication Error
            rodfb

            Yes, I tried restarting the browser, using another one, clearing all the cache, everything I could imagine regarding the browser. The only thing that really works is restarting the server. After restarting the browser, it asks the user to select a certificate again.

             

            I am using org.jboss.security.auth.certs.AnyCertVerifier because I want my class to verify if the user is in my database. So I also tried using my version of the BaseCertLoginModule, I created a MyBaseCertLoginModule (MyBaseCertLoginModule extends AbstractServerLoginModule) which only returns true and does nothing else, all the methods have only one line returning true. I believe that way there wouldn't be any reason for the sever not to recognize my user. That's because I can't understand why it behaves that way.

             

            []s