0 Replies Latest reply on Sep 4, 2011 4:49 PM by Gunnar Hilling

    Is it generally safe to use AnyCertVerifier in the CertRolesLoginModule?

    Gunnar Hilling Newbie

      Hi,

       

      I am just setting up a JBoss 6 AS for a customer. A web-app (actually it's a webservice-app) will be deployed. Client shall authenticate via x.509. During setup I had problems configuring the certificate verification in the BaseCertLoginModule or CertRolesLoginModule (which are actually nearly identical). After some investigation I decided that actually I probably don't need the Cert Verification on this level anyway because I have my Tomcat configured to check for valid certificates when setting up the ssl connection.

      So I configured the AnyCertVerifier in the LoginModule so I'll accept any certificate and only do the Roles Checking in the module.

      Now I'm just wondering why I would use the "standard" loginModule verifier anyway? Doing the Role-Checking in the default way (by mapping from the DN of the certificate to the roles) combined with the certificate checking in tomcat should be just what I want?

       

      Would be nice if someone could share some additional experience here.

       

      Regards,

       

      Gunnar