0 Replies Latest reply on Jan 17, 2013 2:48 AM by Fanzhen Meng

    CertLoginModule from OpenLdap???

    Fanzhen Meng Newbie

      standlone.xml:

       

                      <security-domain name="test" cache-type="default">

                          <authentication>

                              <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="required">

                                  <module-option name="password-stacking" value="useFirstPass"/>

                                  <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>

                              </login-module>

                          </authentication>

                          <authorization>

                              <policy-module code="Delegating" flag="required"/>

                          </authorization>

                      </security-domain>

       

       

        <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">

                      <ssl name="jbossweb-ssl" password="123456" certificate-key-file="/root/ca/keys/serverkey.pem" verify-client="require" certificate-file="/root/ca/certs/server.cer" ca-certificate-file="/root/ca/certs/ca.cer"/>

                  </connector>

       

       

      web.xml in my test app:

       

      <security-constraint>

              <web-resource-collection>

                  <web-resource-name>test</web-resource-name>

                  <url-pattern>/*</url-pattern>

                  <http-method>GET</http-method>

                  <http-method>POST</http-method>

              </web-resource-collection>

              <auth-constraint>

                  <role-name>users</role-name>

              </auth-constraint>

              <user-data-constraint>

                  <transport-guarantee>CONFIDENTIAL</transport-guarantee>

              </user-data-constraint>

          </security-constraint>

          <login-config>

              <auth-method>CLIENT-CERT</auth-method>

              <realm-name>test</realm-name>

          </login-config>

          <security-role>

              <role-name>users</role-name>

          </security-role>

       

       

      server.log:

       

      15:29:59,959 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) initialize

      15:29:59,961 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) Security domain: test

      15:29:59,964 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) securityDomain=other

      15:29:59,980 ERROR [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) The JSSE security domain other is not valid. All authentication using this login module will fail!

      15:29:59,988 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) exit: initialize(Subject, CallbackHandler, Map, Map)

      15:29:59,991 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) enter: login()

      15:29:59,995 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) login

      15:29:59,998 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) enter: getAliasAndCert()

      15:30:00,000 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) exit: getAliasAndCert()

      15:30:00,006 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) enter: validateCredentail(String, X509Certificate)

      15:30:00,011 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) Validating cert using: org.jboss.security.auth.certs.AnyCertVerifier@1db4c43

      15:30:00,014 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) The supplied certificate matched the certificate in the keystore.

      15:30:00,017 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) exit: validateCredentail(String, X509Certificate)

      15:30:00,020 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) User 'EMAILADDRESS=client1@xajob.com, CN=client1, OU=ä¿¡æ&#129;¯ä¸å¿&#131;, O=é&#153;&#149;西ç&#156;&#129;人æ&#137;&#141;交æµ&#129;æ&#156;&#141;å&#138;¡ä¸å¿&#131;, ST=é&#153;&#149;西, C=CN' authenticated, loginOk=true

      15:30:00,025 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) exit: login()

      15:30:00,027 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) commit, loginOk=true

      15:30:00,036 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-cas-192.168.0.111-8443-1) defaultLogin, lc=javax.security.auth.login.LoginContext@1c3d34b, subject=Subject(20114663).principals=org.jboss.security.SimplePrincipal@6254292(EMAILADDRESS=client1@xajob.com, CN=client1, OU=ä¿¡æ&#129;¯ä¸å¿&#131;, O=é&#153;&#149;西ç&#156;&#129;人æ&#137;&#141;交æµ&#129;æ&#156;&#141;å&#138;¡ä¸å¿&#131;, ST=é&#153;&#149;西, C=CN)org.jboss.security.SimpleGroup@23410971(CallerPrincipal(members:EMAILADDRESS=client1@xajob.com, CN=client1, OU=ä¿¡æ&#129;¯ä¸å¿&#131;, O=é&#153;&#149;西ç&#156;&#129;人æ&#137;&#141;交æµ&#129;æ&#156;&#141;å&#138;¡ä¸å¿&#131;, ST=é&#153;&#149;西, C=CN))

      15:30:00,067 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-cas-192.168.0.111-8443-1) updateCache, inputSubject=Subject(20114663).principals=org.jboss.security.SimplePrincipal@6254292(EMAILADDRESS=client1@xajob.com, CN=client1, OU=ä¿¡æ&#129;¯ä¸å¿&#131;, O=é&#153;&#149;西ç&#156;&#129;人æ&#137;&#141;交æµ&#129;æ&#156;&#141;å&#138;¡ä¸å¿&#131;, ST=é&#153;&#149;西, C=CN)org.jboss.security.SimpleGroup@23410971(CallerPrincipal(members:EMAILADDRESS=client1@xajob.com, CN=client1, OU=ä¿¡æ&#129;¯ä¸å¿&#131;, O=é&#153;&#149;西ç&#156;&#129;人æ&#137;&#141;交æµ&#129;æ&#156;&#141;å&#138;¡ä¸å¿&#131;, ST=é&#153;&#149;西, C=CN)), cacheSubject=Subject(17387626).principals=org.jboss.security.SimplePrincipal@6254292(EMAILADDRESS=client1@xajob.com, CN=client1, OU=ä¿¡æ&#129;¯ä¸å¿&#131;, O=é&#153;&#149;西ç&#156;&#129;人æ&#137;&#141;交æµ&#129;æ&#156;&#141;å&#138;¡ä¸å¿&#131;, ST=é&#153;&#149;西, C=CN)org.jboss.security.SimpleGroup@23410971(CallerPrincipal(members:EMAILADDRESS=client1@xajob.com, CN=client1, OU=ä¿¡æ&#129;¯ä¸å¿&#131;, O=é&#153;&#149;西ç&#156;&#129;人æ&#137;&#141;交æµ&#129;æ&#156;&#141;å&#138;¡ä¸å¿&#131;, ST=é&#153;&#149;西, C=CN))

      15:30:00,095 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-cas-192.168.0.111-8443-1) Inserted cache info: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@69adc7

      15:30:00,104 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-cas-192.168.0.111-8443-1) End isValid, true

      15:30:00,119 TRACE [org.jboss.security.SecurityRolesAssociation] (http-cas-192.168.0.111-8443-1) Setting threadlocal:null

       

       

       

      when I visit the test app:

       

      https://xx.xx.xx.xx:8443/test/

       

      HTTP Status 403 - Access to the requested resource has been denied


      type Status report

      message Access to the requested resource has been denied

      description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.


      JBoss Web/7.0.13.Final

       

       

       

      Can anybody help me !!!!!! Thanks in advance!!!!