1 Reply Latest reply on May 6, 2010 9:09 PM by kevintsmith

    Using container's JAAS configuration: SSL with client-cert, LDAP,etc

    aleksandarradulovic
      Dear all,

      I am trying without success to configure my seam application to use JAAS configuration defined within login-config.xml.

      The idea is to use SSL (with client certificate authentication) to authenticate users and LdapLoginModule to authorize them, i.e. to fetch their roles. Just to mention that all this works fine with Web Services.

      I have configured my server - jboss 4.2.3 to support SSL and I have configured default http and https ports of my seam app to 8080 and 8443, respectively.

      When I try to access my web app using browser, I am automatically redirected to protected URL and it all works fine.

      Still I am not able to reference the identity, roles, etc from within my seam components and pages - and I doubt that seam uses mentioned JAAS configuration at all...


      Here follow details of the configuration I have made so far:



      _components.xml_

      <security:identity jaas-config-name="SslWebSecurity"></security:identity>


      _login-config.xml_


      <application-policy name="SslWebSecurity">
                      <authentication>
                              <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="required">
                                      <module-option name="password-stacking">useFirstPass</module-option>
                                      <module-option name="securityDomain">java:/jaas/SslWebSecurity</module-option>
                                      <module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option>
                              </login-module>
                              <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
                              <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
                              <module-option name="java.naming.provider.url">ldap://testsrv.company.com:389</module-option>
                              <module-option name="java.naming.security.authentication">none</module-option>
                              <module-option name="java.naming.security.principal">cn=Manager,DC=COMPANY,DC=COM</module-option>
                              <module-option name="java.naming.security.credentials">secret</module-option>
                              <module-option name="allowEmptyPasswords">true</module-option>
                              <module-option name="principalDNSuffix">,DC=COMPANY,DC=COM</module-option>
                              <module-option name="rolesCtxDN">ou=Roles,DC=COMPANY,DC=COM</module-option>
                              <module-option name="uidAttributeID">member</module-option>
                              <module-option name="matchOnUserDN">true</module-option>
                              <module-option name="roleAttributeID">cn</module-option>
                              <module-option name="roleAttributeIsDN">false</module-option>
                  </login-module>
              </authentication>
      </application-policy>


      _pages.xml_

      <pages http-port="8080"
              https-port="8443">

      <page view-id="*" scheme="https">


      I expect to have user automatically authenticated (and authorized) by JBOSS, than used by seam application without any programming effort done by me. Am I wrong?

      I have been trying to find solution without any success.

      Seam community, thank you in advance :-)

      Aleksandar