4 Replies Latest reply on May 3, 2016 1:49 AM by nickarls

    Mapping client certificate to role

    nickarls
    nickarls May 2, 2016 3:52 AM

      Combatting my SmartCard here again (WF10). I've cranked up logging when accessing a protected domain and I see

       

      10:40:03,534 TRACE [org.jboss.security] (default task-7) PBOX00288: Properties file file:C:\Java\AS\wildfly-10.0.0.Final\standalone\configuration/app-roles.properties loaded, users: [admin, CN=Firstname]
10:40:03,535 TRACE [org.jboss.security] (default task-7) PBOX00239: End initialize method
10:40:03,535 TRACE [org.jboss.security] (default task-7) PBOX00240: Begin login method
10:40:03,535 TRACE [org.jboss.security] (default task-7) PBOX00240: Begin login method
10:40:03,535 TRACE [org.jboss.security] (default task-7) PBOX00240: Begin login method
10:40:03,536 TRACE [org.jboss.security] (default task-7) PBOX00252: Begin getAliasAndCert method
10:40:03,537 TRACE [org.jboss.security] (default task-7) PBOX00253: Found certificate, serial number: cafebabe, subject DN: CN=Firstname Lastname, SURNAME=LastName, GIVENNAME=FirstName, SERIALNUMBER=666, C=FI
10:40:03,537 TRACE [org.jboss.security] (default task-7) PBOX00255: End getAliasAndCert method
10:40:03,538 TRACE [org.jboss.security] (default task-7) PBOX00256: Begin validateCredential method
10:40:03,538 TRACE [org.jboss.security] (default task-7) PBOX00257: Validating certificate using verifier class org.jboss.security.auth.certs.AnyCertVerifier
10:40:03,538 TRACE [org.jboss.security] (default task-7) PBOX00260: End validateCredential method, result: true
10:40:03,538 TRACE [org.jboss.security] (default task-7) PBOX00241: End login method, isValid: true
10:40:03,539 TRACE [org.jboss.security] (default task-7) PBOX00241: End login method, isValid: true
10:40:03,539 TRACE [org.jboss.security] (default task-7) PBOX00242: Begin commit method, overall result: true
10:40:03,543 TRACE [org.jboss.security] (default task-7) PBOX00210: defaultLogin, login context: <snip>
10:40:03,544 TRACE [org.jboss.security] (default task-7) PBOX00207: updateCache, input subject: <snip>
10:40:03,546 TRACE [org.jboss.security] (default task-7) PBOX00208: Inserted cache info: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@731fb1c3
10:40:03,547 TRACE [org.jboss.security] (default task-7) PBOX00201: End isValid, result = true
10:40:03,561 TRACE [org.jboss.security] (default task-7) PBOX00354: Setting security roles ThreadLocal: null

       

      So as I'm interpreting it, the login was successful but no roles were mapped. In my app-roles.properties I have

       

      CN\=Firstname Lastname, SURNAME\=Lastname, GIVENNAME\=Firstname, SERIALNUMBER\=666, C\=FI=JBossAdmin

       

      and in web.xml I have

       

      



<security-constraint>




<display-name>Secure</display-name>




<web-resource-collection>





<web-resource-name>admin</web-resource-name>





<description />





<url-pattern>/secure/*</url-pattern>




</web-resource-collection>




<auth-constraint>





<description />





<role-name>JBossAdmin</role-name>




</auth-constraint>



</security-constraint>



<login-config>




<auth-method>CLIENT-CERT</auth-method>




<realm-name>client_cert_domain</realm-name>



</login-config>



<security-role>




<description />




<role-name>JBossAdmin</role-name>



</security-role>

       

      How come the subject doesn't get the role? Is there some subtle formatting error in my properties file?

       

      Thanks in advance,

      Nik

      • 402 Views
      • Tags: