I've seen the same problem although in another authentication mode. The reason was that the security-domain wasn't specified in the jboss-web.xml.
It seemed quite a weird behaviour as it should default to the "other" login-context, shouldn't it?
I checked it from the sources to give a more precise explanation. The web application will be linked to NullSecurityManager in org.jboss.web.AbstractWebContainer#linkSecurityDomain(String, Context) if the security-domain is not specified. NullSecurityManager allows login with any credentials and always returns true from doesUserHaveRole().
I'd rather see AbstractWebContainer define the default security-domain as java:/jaas/[realm] where [realm] would be the realm specified in web.xml. Additionally, i'd like to see the JBoss default configuration associate the login-context "other" to NoneShallPassLoginModule. This would reduce the risk of having a misconfiguration that would allow anyone access to confidental data.
Hi, and thanks for your help...
Here is an extract from my login-config.xml (entire file attached with this post) :
<!-- Configuration for ApacheClientCert web app -->
<application-policy name = "clientCert">
flag = "required" />
And here is the content of my jboss-web.xml :
<?xml version="1.0" encoding="UTF-8"?>
<!-- use of the "testCert" security domain -->
Do you see any problem ?
I have written my own LoginModule which checks the Certificate. I am not using an Apache in front of my JBoss.
The CN of the certificate is used to generate a SimplePrincipal.
I have only tested it with JBoss 3.2.1 and there it does the job for me.
Hope that help,
The problem has already been solved. The jboss-web.xml was in the wrong directory and therefore the NullSecurityManager was used.