0 Replies Latest reply on Dec 30, 2010 2:55 AM by richardvanduijn

    Certificate authentication with username password login module question

    richardvanduijn

      Hi all,

       

      I'm currently working on a security configuration of JBoss 5 which goal is to:

       

      1. Authenticate and determine roles based on the provided client certificate
      2. Further authenticate the user by asking for a username and password.

       

      Basically the certificate is to determine the group which the remote user belongs to. To enable this we issued one certificate for each group. But our application requires (due to licensing etc.) to restrict certain groups of having more than 'X' simultanious active (logged in) users.

      To achieve this we first used an extended DataBaseCertLoginModule which keeps track of the currently active certificates. But soon we noticed that a certificate does not discriminate between different users (if they use the same certificate). Please correct me if i'm wrong here! The loginModule does not get called if another user logs in with the same certificate thus does not allow met to check if the maximum number of users is reached.

       

      Well to avoid this problem we thought of adding a UserNamePassword LoginModule. But somehow this module uses the principalId from the certificate as principal (:userName) in this module. And this is something we do not want, as we want the user to provide a username+password combination.

       

      So after a long introduction, my question(s) are:

      1. Is there a way to ensure that the certificate login discriminates between different remote users, when using the same certificate?
      2. Or, when not possible can we configure the usernamePassWord Loginmodule to NOT use the principalId from the certificate?

       

       

      Many thanks for your answers and help!

       

      Richard