0 Replies Latest reply on Mar 9, 2010 12:41 PM by dfisher

    Client Cert Authentication in 5.1.0

    dfisher Newbie

      I'm upgrading from version 4.2.3 to 5.1.0 and I'm having trouble getting SSL client authentication and JAAS to work correctly.

      My session beans are annotated as:

       

      {code:java}

      @Stateless
      @SecurityDomain("ClientCertDomain")
      @WebContext(
        transportGuarantee = "CONFIDENTIAL",
        authMethod = "CLIENT-CERT"
      )

      {code}

       

      My login-config.xml contains the following entry:

      {code:xml}

        <application-policy name="ClientCertDomain">
          <authentication>

            <login-module code="org.jboss.security.auth.spi.DatabaseCertLoginModule"
                          flag="sufficient">
              <module-option name="securityDomain">ClientCertDomain</module-option>

              .....
            </login-module>

          </authentication>
        </application-policy>

      {code}

       

      Invocations of the web service fail with: faultString: (401)Unauthorized

      The logs indicate that the security domain specified in the stateless session bean is "".

       

      {noformat}Application Policy not obtained for domain=. Trying to obtain the App policy for the default domain of the layer:WEB{noformat}

       

      This is apparently related to this bug: https://jira.jboss.org/jira/browse/JBAS-7037

      However, I cannot get the workaround to work.

       

      Is the best course of action to attempt to update the jars in the JBoss 5.1.0 distribution?

      Or is there another/better way to configure client cert based authorization?

       

      (We can't use WS-Security yet, our clients don't support it.)