Mapping client certificate to role
nickarls May 2, 2016 3:52 AMCombatting my SmartCard here again (WF10). I've cranked up logging when accessing a protected domain and I see
10:40:03,534 TRACE [org.jboss.security] (default task-7) PBOX00288: Properties file file:C:\Java\AS\wildfly-10.0.0.Final\standalone\configuration/app-roles.properties loaded, users: [admin, CN=Firstname] 10:40:03,535 TRACE [org.jboss.security] (default task-7) PBOX00239: End initialize method 10:40:03,535 TRACE [org.jboss.security] (default task-7) PBOX00240: Begin login method 10:40:03,535 TRACE [org.jboss.security] (default task-7) PBOX00240: Begin login method 10:40:03,535 TRACE [org.jboss.security] (default task-7) PBOX00240: Begin login method 10:40:03,536 TRACE [org.jboss.security] (default task-7) PBOX00252: Begin getAliasAndCert method 10:40:03,537 TRACE [org.jboss.security] (default task-7) PBOX00253: Found certificate, serial number: cafebabe, subject DN: CN=Firstname Lastname, SURNAME=LastName, GIVENNAME=FirstName, SERIALNUMBER=666, C=FI 10:40:03,537 TRACE [org.jboss.security] (default task-7) PBOX00255: End getAliasAndCert method 10:40:03,538 TRACE [org.jboss.security] (default task-7) PBOX00256: Begin validateCredential method 10:40:03,538 TRACE [org.jboss.security] (default task-7) PBOX00257: Validating certificate using verifier class org.jboss.security.auth.certs.AnyCertVerifier 10:40:03,538 TRACE [org.jboss.security] (default task-7) PBOX00260: End validateCredential method, result: true 10:40:03,538 TRACE [org.jboss.security] (default task-7) PBOX00241: End login method, isValid: true 10:40:03,539 TRACE [org.jboss.security] (default task-7) PBOX00241: End login method, isValid: true 10:40:03,539 TRACE [org.jboss.security] (default task-7) PBOX00242: Begin commit method, overall result: true 10:40:03,543 TRACE [org.jboss.security] (default task-7) PBOX00210: defaultLogin, login context: <snip> 10:40:03,544 TRACE [org.jboss.security] (default task-7) PBOX00207: updateCache, input subject: <snip> 10:40:03,546 TRACE [org.jboss.security] (default task-7) PBOX00208: Inserted cache info: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@731fb1c3 10:40:03,547 TRACE [org.jboss.security] (default task-7) PBOX00201: End isValid, result = true 10:40:03,561 TRACE [org.jboss.security] (default task-7) PBOX00354: Setting security roles ThreadLocal: null
So as I'm interpreting it, the login was successful but no roles were mapped. In my app-roles.properties I have
CN\=Firstname Lastname, SURNAME\=Lastname, GIVENNAME\=Firstname, SERIALNUMBER\=666, C\=FI=JBossAdmin
and in web.xml I have
<security-constraint> <display-name>Secure</display-name> <web-resource-collection> <web-resource-name>admin</web-resource-name> <description /> <url-pattern>/secure/*</url-pattern> </web-resource-collection> <auth-constraint> <description /> <role-name>JBossAdmin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> <realm-name>client_cert_domain</realm-name> </login-config> <security-role> <description /> <role-name>JBossAdmin</role-name> </security-role>
How come the subject doesn't get the role? Is there some subtle formatting error in my properties file?
Thanks in advance,
Nik