1 Reply Latest reply on Feb 11, 2004 8:57 PM by Scott Stark

    client certificate based authenication and jaas

    Dirk Newbie

      I would like to user the CLIENT-CERT login-config option in the embedded tomcat (jboss 3.2.1) for authentication.

      Using the JAAS DatabaseServerLoginModule with BASIC and FORM authentication works perfectly (jboss-web.xml and login-config.xml are correctly configured).

      When switching to CLIENT-CERT, I get following errors:

      ========in browser ==========
      Cannot authenticate with the provided credentials
      =========================

      ========in JBOSS serverl.log ====

      2004-02-06 16:51:54,968 DEBUG [org.jboss.security.plugins.JaasSecurityManager.weekendesk] Login failure
      javax.security.auth.login.FailedLoginException: No matching username found in Principals
       at org.jboss.security.auth.spi.DatabaseServerLoginModule.getUsersPassword(DatabaseServerLoginModule.java:102)
       at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:143)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
       at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:462)
       at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:417)
       at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:244)
       at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:219)
       at org.jboss.web.catalina.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:145)
       at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:166)
       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:526)
       at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
       at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
       at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
       at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
       at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2415)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
       at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
       at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:171)
       at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)
       at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
       at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:509)
       at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
       at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
       at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
       at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
       at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:594)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:392)
       at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:565)
       at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)
       at java.lang.Thread.run(Thread.java:534)
      

      ===========================================

      What am I overlooking?

      I'm assuming the CN in the client certificate will be matched with my user-field in the Database realm. Is this correct?

      Should I use another LoginModule (spi) or write one myself?

      Should the keys for these client certificates be available for jboss in some way or another?

      Please,
      Help me

        • 1. Re: client certificate based authenication and jaas
          Scott Stark Master

          The standard login modules are unlikely to work because the Principal name is formed from the X509Certificate.getSerialNumber() + " " + X509Certificate.getIssuerDN() of the client cert, and the credentials are the X509Certificate[] chain obtained from the SSL connection. You will need to create a custom login module that knows how to deal with this information.