5 Replies Latest reply on Dec 2, 2003 12:36 PM by Jarno Peltoniemi

    user always successfully authenticated with CLIENT-CERT

    Sébastien Brunot Newbie


      I'm using apache 2.0.48 with mod_ssl and mod_jk2 in front of jboss 3.2.2 (i'm using the tomcat embeded servlet container with Coyote JK connector).

      apache is handling the ssl communication with the client, which provide an X509 certificate. I can see in my web app that the certificate is correctly transmitted to jboss as i can access it in the request.

      When i set my web app client authentication mode to be CLIENT-CERT, my client is automatically authenticated (whatever the LoginModule is), and a isUserInRole() on any role (event a role that is not declared in web.xml) always returns true (!).

      Anyone got the same problem ? Is this a bug ?