4 Replies Latest reply on Oct 19, 2009 7:31 AM by Hans Wolffenbuttel

    BaseCertLoginModule Does Not Work?

    Hans Wolffenbuttel Expert

      I changed the org.jboss.soa.esb.services.security.auth.login.CertificateLoginModule to org.jboss.security.auth.spi.BaseCertLoginModule just to see if i can get the authentication working.

      I have placed the following application-policy in login-config.xml:

       <application-policy name = "CertLogin">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule"
       flag = "required">
       <module-option name="password-stacking">false</module-option>
       <module-option name="securityDomain">java:/jaas/CertLogin</module-option>
       <module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option>
       </login-module>
       <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
       flag = "required">
       <module-option name="password-stacking">false</module-option>
       <module-option name="usersProperties">props/certlogin-users.properties</module-option>
       <module-option name="rolesProperties">props/certlogin-roles.properties</module-option>
       </login-module>
       </authentication>
       </application-policy>
      


      When authentication takes place a few things go wrong:

      - The name of the Certificate Should be the value of CN but it's the complete dname value => "CN=test, OU=test, O=test, L=test, ST=test, C=NL".
      - If do not declare a org.jboss.security.auth.certs.AnyCertVerifier (always true) for my Certificate validation, the validation uses the dname as an alias to get a Certificate from my Truststore. Because an alias is not the same as a dname this never returns a Certificate from my Truststore. So my Certificate is never valid this way.

      Am I using the classes the wrong way? Or is this the same issue as the problem with the org.jboss.soa.esb.services.security.auth.login.CertificateLoginModule?

      Regards,

      Hans

        • 1. Re: BaseCertLoginModule Does Not Work?
          Daniel Bevenius Master

          Hi,

          org.jboss.security.auth.spi.BaseCertLoginModule is not provided by JBossESB and this I'm not familiar with how it is expected to work.

          Or is this the same issue as the problem with the org.jboss.soa.esb.services.security.auth.login.CertificateLoginModule?

          This is not the same issue as before. In this case you are configuring a login module just like you would for a web application, the difference being that the web application is generated upon deployment.
          Could you try this login module separate from JBossESB and get it working like you expect and after that try it out in conjunction with the ESB?

          If you can provide an example that I can deploy I'd be happy to take a closer look at this. Just easier and avoids any misunderstandings on what is going on.

          Thanks,

          /Daniel


          • 2. Re: BaseCertLoginModule Does Not Work?
            Hans Wolffenbuttel Expert

            Hi,

            How do I get a deployable version to you?

            Regards,

            Hans

            • 3. Re: BaseCertLoginModule Does Not Work?
              Daniel Bevenius Master

               

              How do I get a deployable version to you?

              Sorry, you can email me using : dbevenius@jboss.com
              It's listed on my user profile but you have to click my user name to see it.

              Thanks,

              /Daniel

              • 4. Re: BaseCertLoginModule Does Not Work?
                Hans Wolffenbuttel Expert

                Hi Daniel,

                Thanx for the assistance!

                The problem was located in the certlogin-users.properties and certlogin-roles.properties. The username should be:
                "CN\=test,\ OU\=test,\ O=\test,\ L=\test,\ ST\=test,\ C\=NL". This means escaping all "," and "=" characters, otherwise the user is not found.

                Also the final configuration looks like this:

                 <application-policy name = "CertLogin">
                 <authentication>
                 <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule"
                 flag = "required">
                 <module-option name="password-stacking">useFirstPass</module-option>
                 <module-option name="securityDomain">java:/jaas/CertLogin</module-option>
                 <module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option>
                 </login-module>
                 <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                 flag = "required">
                 <module-option name="password-stacking">useFirstPass</module-option>
                 <module-option name="defaultUsersProperties">props/certlogin-users.properties</module-option>
                 <module-option name="defaultRolesProperties">props/certlogin-roles.properties</module-option>
                 <module-option name="usersProperties">props/certlogin-users.properties</module-option>
                 <module-option name="rolesProperties">props/certlogin-roles.properties</module-option>
                 </login-module>
                 </authentication>
                 </application-policy>
                


                Regards,

                Hans