I'm currently working on a security configuration of JBoss 5 which goal is to:
Basically the certificate is to determine the group which the remote user belongs to. To enable this we issued one certificate for each group. But our application requires (due to licensing etc.) to restrict certain groups of having more than 'X' simultanious active (logged in) users.
To achieve this we first used an extended DataBaseCertLoginModule which keeps track of the currently active certificates. But soon we noticed that a certificate does not discriminate between different users (if they use the same certificate). Please correct me if i'm wrong here! The loginModule does not get called if another user logs in with the same certificate thus does not allow met to check if the maximum number of users is reached.
Well to avoid this problem we thought of adding a UserNamePassword LoginModule. But somehow this module uses the principalId from the certificate as principal (:userName) in this module. And this is something we do not want, as we want the user to provide a username+password combination.
So after a long introduction, my question(s) are:
Many thanks for your answers and help!