I am just setting up a JBoss 6 AS for a customer. A web-app (actually it's a webservice-app) will be deployed. Client shall authenticate via x.509. During setup I had problems configuring the certificate verification in the BaseCertLoginModule or CertRolesLoginModule (which are actually nearly identical). After some investigation I decided that actually I probably don't need the Cert Verification on this level anyway because I have my Tomcat configured to check for valid certificates when setting up the ssl connection.
So I configured the AnyCertVerifier in the LoginModule so I'll accept any certificate and only do the Roles Checking in the module.
Now I'm just wondering why I would use the "standard" loginModule verifier anyway? Doing the Role-Checking in the default way (by mapping from the DN of the certificate to the roles) combined with the certificate checking in tomcat should be just what I want?
Would be nice if someone could share some additional experience here.