4 Replies Latest reply on May 3, 2016 1:49 AM by Nicklas Karlsson

    Mapping client certificate to role

    Nicklas Karlsson Master

      Combatting my SmartCard here again (WF10). I've cranked up logging when accessing a protected domain and I see

       

      10:40:03,534 TRACE [org.jboss.security] (default task-7) PBOX00288: Properties file file:C:\Java\AS\wildfly-10.0.0.Final\standalone\configuration/app-roles.properties loaded, users: [admin, CN=Firstname]
      10:40:03,535 TRACE [org.jboss.security] (default task-7) PBOX00239: End initialize method
      10:40:03,535 TRACE [org.jboss.security] (default task-7) PBOX00240: Begin login method
      10:40:03,535 TRACE [org.jboss.security] (default task-7) PBOX00240: Begin login method
      10:40:03,535 TRACE [org.jboss.security] (default task-7) PBOX00240: Begin login method
      10:40:03,536 TRACE [org.jboss.security] (default task-7) PBOX00252: Begin getAliasAndCert method
      10:40:03,537 TRACE [org.jboss.security] (default task-7) PBOX00253: Found certificate, serial number: cafebabe, subject DN: CN=Firstname Lastname, SURNAME=LastName, GIVENNAME=FirstName, SERIALNUMBER=666, C=FI
      10:40:03,537 TRACE [org.jboss.security] (default task-7) PBOX00255: End getAliasAndCert method
      10:40:03,538 TRACE [org.jboss.security] (default task-7) PBOX00256: Begin validateCredential method
      10:40:03,538 TRACE [org.jboss.security] (default task-7) PBOX00257: Validating certificate using verifier class org.jboss.security.auth.certs.AnyCertVerifier
      10:40:03,538 TRACE [org.jboss.security] (default task-7) PBOX00260: End validateCredential method, result: true
      10:40:03,538 TRACE [org.jboss.security] (default task-7) PBOX00241: End login method, isValid: true
      10:40:03,539 TRACE [org.jboss.security] (default task-7) PBOX00241: End login method, isValid: true
      10:40:03,539 TRACE [org.jboss.security] (default task-7) PBOX00242: Begin commit method, overall result: true
      10:40:03,543 TRACE [org.jboss.security] (default task-7) PBOX00210: defaultLogin, login context: <snip>
      10:40:03,544 TRACE [org.jboss.security] (default task-7) PBOX00207: updateCache, input subject: <snip>
      10:40:03,546 TRACE [org.jboss.security] (default task-7) PBOX00208: Inserted cache info: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@731fb1c3
      10:40:03,547 TRACE [org.jboss.security] (default task-7) PBOX00201: End isValid, result = true
      10:40:03,561 TRACE [org.jboss.security] (default task-7) PBOX00354: Setting security roles ThreadLocal: null
      
      

       

      So as I'm interpreting it, the login was successful but no roles were mapped. In my app-roles.properties I have

       

      CN\=Firstname Lastname, SURNAME\=Lastname, GIVENNAME\=Firstname, SERIALNUMBER\=666, C\=FI=JBossAdmin
      
      

       

      and in web.xml I have

       

      
      
      
      
      <security-constraint>
      
      
      
      
      <display-name>Secure</display-name>
      
      
      
      
      <web-resource-collection>
      
      
      
      
      
      <web-resource-name>admin</web-resource-name>
      
      
      
      
      
      <description />
      
      
      
      
      
      <url-pattern>/secure/*</url-pattern>
      
      
      
      
      </web-resource-collection>
      
      
      
      
      <auth-constraint>
      
      
      
      
      
      <description />
      
      
      
      
      
      <role-name>JBossAdmin</role-name>
      
      
      
      
      </auth-constraint>
      
      
      
      </security-constraint>
      
      
      
      <login-config>
      
      
      
      
      <auth-method>CLIENT-CERT</auth-method>
      
      
      
      
      <realm-name>client_cert_domain</realm-name>
      
      
      
      </login-config>
      
      
      
      <security-role>
      
      
      
      
      <description />
      
      
      
      
      <role-name>JBossAdmin</role-name>
      
      
      
      </security-role>
      
      
      
      

       

      How come the subject doesn't get the role? Is there some subtle formatting error in my properties file?

       

      Thanks in advance,

      Nik