0 Replies Latest reply on Jan 17, 2013 2:48 AM by mforward_cn

CertLoginModule from OpenLdap???

mforward_cn Jan 17, 2013 2:48 AM

standlone.xml：

<security-domain name="test" cache-type="default">

<login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="required">

<module-option name="password-stacking" value="useFirstPass"/>

<module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>

</login-module>

</authentication>

<policy-module code="Delegating" flag="required"/>

</authorization>

</security-domain>

</connector>

web.xml in my test app:

<security-constraint>

<web-resource-collection>

<web-resource-name>test</web-resource-name>

<url-pattern>/*</url-pattern>

<http-method>GET</http-method>

<http-method>POST</http-method>

</web-resource-collection>

<auth-constraint>

<role-name>users</role-name>

</auth-constraint>

<user-data-constraint>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

</security-constraint>

<login-config>

<auth-method>CLIENT-CERT</auth-method>

<realm-name>test</realm-name>

</login-config>

<security-role>

<role-name>users</role-name>

</security-role>

server.log:

15:29:59,959 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) initialize

15:29:59,961 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) Security domain: test

15:29:59,964 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) securityDomain=other

15:29:59,980 ERROR [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) The JSSE security domain other is not valid. All authentication using this login module will fail!

15:29:59,988 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) exit: initialize(Subject, CallbackHandler, Map, Map)

15:29:59,991 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) enter: login()

15:29:59,995 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) login

15:29:59,998 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) enter: getAliasAndCert()

15:30:00,000 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) exit: getAliasAndCert()

15:30:00,006 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) enter: validateCredentail(String, X509Certificate)

15:30:00,011 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) Validating cert using: org.jboss.security.auth.certs.AnyCertVerifier@1db4c43

15:30:00,014 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) The supplied certificate matched the certificate in the keystore.

15:30:00,017 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) exit: validateCredentail(String, X509Certificate)

15:30:00,020 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) User 'EMAILADDRESS=client1@xajob.com, CN=client1, OU=ä¿¡æ¯ä¸å¿, O=éè¥¿çäººæäº¤æµæå¡ä¸å¿, ST=éè¥¿, C=CN' authenticated, loginOk=true

15:30:00,025 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) exit: login()

15:30:00,027 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) commit, loginOk=true

15:30:00,036 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-cas-192.168.0.111-8443-1) defaultLogin, lc=javax.security.auth.login.LoginContext@1c3d34b, subject=Subject(20114663).principals=org.jboss.security.SimplePrincipal@6254292(EMAILADDRESS=client1@xajob.com, CN=client1, OU=ä¿¡æ¯ä¸å¿, O=éè¥¿çäººæäº¤æµæå¡ä¸å¿, ST=éè¥¿, C=CN)org.jboss.security.SimpleGroup@23410971(CallerPrincipal(members:EMAILADDRESS=client1@xajob.com, CN=client1, OU=ä¿¡æ¯ä¸å¿, O=éè¥¿çäººæäº¤æµæå¡ä¸å¿, ST=éè¥¿, C=CN))

15:30:00,067 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-cas-192.168.0.111-8443-1) updateCache, inputSubject=Subject(20114663).principals=org.jboss.security.SimplePrincipal@6254292(EMAILADDRESS=client1@xajob.com, CN=client1, OU=ä¿¡æ¯ä¸å¿, O=éè¥¿çäººæäº¤æµæå¡ä¸å¿, ST=éè¥¿, C=CN)org.jboss.security.SimpleGroup@23410971(CallerPrincipal(members:EMAILADDRESS=client1@xajob.com, CN=client1, OU=ä¿¡æ¯ä¸å¿, O=éè¥¿çäººæäº¤æµæå¡ä¸å¿, ST=éè¥¿, C=CN)), cacheSubject=Subject(17387626).principals=org.jboss.security.SimplePrincipal@6254292(EMAILADDRESS=client1@xajob.com, CN=client1, OU=ä¿¡æ¯ä¸å¿, O=éè¥¿çäººæäº¤æµæå¡ä¸å¿, ST=éè¥¿, C=CN)org.jboss.security.SimpleGroup@23410971(CallerPrincipal(members:EMAILADDRESS=client1@xajob.com, CN=client1, OU=ä¿¡æ¯ä¸å¿, O=éè¥¿çäººæäº¤æµæå¡ä¸å¿, ST=éè¥¿, C=CN))

15:30:00,095 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-cas-192.168.0.111-8443-1) Inserted cache info: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@69adc7

15:30:00,104 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-cas-192.168.0.111-8443-1) End isValid, true

15:30:00,119 TRACE [org.jboss.security.SecurityRolesAssociation] (http-cas-192.168.0.111-8443-1) Setting threadlocal:null

when I visit the test app:

https://xx.xx.xx.xx:8443/test/

HTTP Status 403 - Access to the requested resource has been denied

type Status report

message Access to the requested resource has been denied

description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.

JBoss Web/7.0.13.Final

Can anybody help me !!!!!! Thanks in advance！！！！