3 Replies Latest reply on Oct 19, 2002 12:33 PM by R.W. Shore

    CLIENT-CERT and authorization rules

    R.W. Shore Newbie

      I have an existing module that maps X509 certs into permissions. I'd like to use this as a login module within JBOSS, where the security roles (from JBOSS's perspective) become a specialized sort of permission (from the mapping module's perspective). It looks to me like the login module must create a Callback object and use the CallbackHandler to get the desired information. Is there a callback class that will return the user's cert to a login module? If I need to write a special callback class, any guidance on how to integrate this class into the rest of JBOSS?

        • 1. Re: CLIENT-CERT and authorization rules
          Tim Penhey Newbie

          If you are writing a custom login module, and you want to get access to the principal and credentials, then you want to create a SecurityAssociationCallback. I think it is in the package org.jboss.security.auth.callback. You can call it by doing the following in the initialize method:

          SecurityAssociationCallback sac = new SecurityAssociationCallback();
          Callback[] callbacks = {sac};
          try {
          principal = sac.getPrincipal();
          // add bit to get credentials. it would be something like
          // credentials = sac.getCredentials(); and then cast
          // it to the certificate class...
          log.trace("principal: " + principal);
          catch (Exception e) {
          log.error("callback failed: " , e);

          where principal is a private Principal object.


          • 2. Re: CLIENT-CERT and authorization rules
            R.W. Shore Newbie

            Thank you very much for the help.

            • 3. Re: CLIENT-CERT and authorization rules
              R.W. Shore Newbie

              OK, I've done some poking around in the code. If I'm following things correctly, turning on CLIENT-CERT causes an instance of class ClientCertAuthenticator to get control at some point -- haven't figured out exactly how this happens, and not sure I care. Class ClientCertAuthenticator calls an instance of interface UserRealm, passing the distinguished name from the cert as the principle and the cert chain as the credential. It appears that class JbossUserRealm is the implementation of UserRealm used to interface Jboss with Jetty. However, the copy of JbossUserRealm that I'm looking at handles only a String credential -- it won't work if the credential object is anything else.

              Am I incorrect about the processing flow, or am I going to have to generalize JbossUserRealm to get CLIENT-CERT processing to work correctly?