CertLoginModule from OpenLdap???
mforward_cn Jan 17, 2013 2:48 AMstandlone.xml:
<security-domain name="test" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>
</login-module>
</authentication>
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="jbossweb-ssl" password="123456" certificate-key-file="/root/ca/keys/serverkey.pem" verify-client="require" certificate-file="/root/ca/certs/server.cer" ca-certificate-file="/root/ca/certs/ca.cer"/>
</connector>
web.xml in my test app:
<security-constraint>
<web-resource-collection>
<web-resource-name>test</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>users</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>test</realm-name>
</login-config>
<security-role>
<role-name>users</role-name>
</security-role>
server.log:
15:29:59,959 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) initialize
15:29:59,961 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) Security domain: test
15:29:59,964 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) securityDomain=other
15:29:59,980 ERROR [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) The JSSE security domain other is not valid. All authentication using this login module will fail!
15:29:59,988 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) exit: initialize(Subject, CallbackHandler, Map, Map)
15:29:59,991 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) enter: login()
15:29:59,995 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) login
15:29:59,998 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) enter: getAliasAndCert()
15:30:00,000 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) exit: getAliasAndCert()
15:30:00,006 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) enter: validateCredentail(String, X509Certificate)
15:30:00,011 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) Validating cert using: org.jboss.security.auth.certs.AnyCertVerifier@1db4c43
15:30:00,014 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) The supplied certificate matched the certificate in the keystore.
15:30:00,017 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) exit: validateCredentail(String, X509Certificate)
15:30:00,020 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) User 'EMAILADDRESS=client1@xajob.com, CN=client1, OU=信息ä¸å¿ƒ, O=陕西省人才交流服务ä¸å¿ƒ, ST=陕西, C=CN' authenticated, loginOk=true
15:30:00,025 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) exit: login()
15:30:00,027 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] (http-cas-192.168.0.111-8443-1) commit, loginOk=true
15:30:00,036 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-cas-192.168.0.111-8443-1) defaultLogin, lc=javax.security.auth.login.LoginContext@1c3d34b, subject=Subject(20114663).principals=org.jboss.security.SimplePrincipal@6254292(EMAILADDRESS=client1@xajob.com, CN=client1, OU=信息ä¸å¿ƒ, O=陕西省人才交流服务ä¸å¿ƒ, ST=陕西, C=CN)org.jboss.security.SimpleGroup@23410971(CallerPrincipal(members:EMAILADDRESS=client1@xajob.com, CN=client1, OU=信息ä¸å¿ƒ, O=陕西省人才交流服务ä¸å¿ƒ, ST=陕西, C=CN))
15:30:00,067 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-cas-192.168.0.111-8443-1) updateCache, inputSubject=Subject(20114663).principals=org.jboss.security.SimplePrincipal@6254292(EMAILADDRESS=client1@xajob.com, CN=client1, OU=信息ä¸å¿ƒ, O=陕西省人才交流服务ä¸å¿ƒ, ST=陕西, C=CN)org.jboss.security.SimpleGroup@23410971(CallerPrincipal(members:EMAILADDRESS=client1@xajob.com, CN=client1, OU=信息ä¸å¿ƒ, O=陕西省人才交流服务ä¸å¿ƒ, ST=陕西, C=CN)), cacheSubject=Subject(17387626).principals=org.jboss.security.SimplePrincipal@6254292(EMAILADDRESS=client1@xajob.com, CN=client1, OU=信息ä¸å¿ƒ, O=陕西省人才交流服务ä¸å¿ƒ, ST=陕西, C=CN)org.jboss.security.SimpleGroup@23410971(CallerPrincipal(members:EMAILADDRESS=client1@xajob.com, CN=client1, OU=信息ä¸å¿ƒ, O=陕西省人才交流服务ä¸å¿ƒ, ST=陕西, C=CN))
15:30:00,095 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-cas-192.168.0.111-8443-1) Inserted cache info: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@69adc7
15:30:00,104 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-cas-192.168.0.111-8443-1) End isValid, true
15:30:00,119 TRACE [org.jboss.security.SecurityRolesAssociation] (http-cas-192.168.0.111-8443-1) Setting threadlocal:null
when I visit the test app:
https://xx.xx.xx.xx:8443/test/
HTTP Status 403 - Access to the requested resource has been denied
type Status report
message Access to the requested resource has been denied
description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
JBoss Web/7.0.13.Final
Can anybody help me !!!!!! Thanks in advance!!!!