2 Replies Latest reply on Oct 26, 2005 2:45 PM by Rollin Crittendon

    BaseCertLoginModule working, but browser has a 403 in Tomcat

    Rollin Crittendon Newbie

      I am trying to get client certificate access going for evaluation. When I trace the system it looks like the following DO happen.

      1) My browser certificate is matched with my server's store (am using one keystore right now).

      2) Roles are being assigned from what I can see.

      Despite all of this I get an "HTTP STATUS 403 - Access to the requested resource has been denied". I have been using Chapter 8 of the documentation as reference.

      * On another note, I was curious if anyone has used LDAP to store their certificates as well.

      Some of my log file is the following, thank you!
      =========================
      2005-10-20 18:22:41,316 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule]
      enter: validateCredentail(String, X509Certificate)
      2005-10-20 18:22:41,316 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule]

      Supplied Credential: 5b7369c45719e1e2d94607755d29a8ea
      CN=rollin, OU=Terms of use at www.verisign.com/cps/testca (c)05,
      OU=TFCCS, O=TSG, L=Boston, ST=Massachusetts, C=US

      Existing Credential: 5b7369c45719e1e2d94607755d29a8ea
      CN=rollin, OU=Terms of use at www.verisign.com/cps/testca (c)05,
      OU=TFCCS, O=TSG, L=Boston, ST=Massachusetts, C=US

      2005-10-20 18:22:41,316 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule]
      The supplied certificate matched the certificate in the keystore.
      2005-10-20 18:22:41,316 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule]
      exit: validateCredentail(String, X509Certificate)
      2005-10-20 18:22:41,316 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule]
      User 'CN=rollin, OU=Terms of use at www.verisign.com/cps/testca (c)05, OU=TFCCS,
      O=TSG, L=Boston, ST=Massachusetts, C=US' authenticated, loginOk=true
      2005-10-20 18:22:41,316 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule]
      exit: login()
      2005-10-20 18:22:41,326 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule
      ] initialize, instance=@5487610
      .
      .
      .
      2005-10-20 18:22:41,336 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule
      ] commit, loginOk=true
      2005-10-20 18:22:41,346 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRea
      lm] User: CN=rollin, OU=Terms of use at www.verisign.com/cps/testca (c)05, OU=TF
      CCS, O=TSG, L=Boston, ST=Massachusetts, C=US is authenticated
      2005-10-20 18:22:41,346 TRACE [org.jboss.security.SecurityAssociation] pushSubje
      ctContext, subject=Subject:
      Principal: CN=rollin, OU=Terms of use at www.verisign.com/cps/testca (c)
      05, OU=TFCCS, O=TSG, L=Boston, ST=Massachusetts, C=US
      Principal: Roles(members)
      Principal: verisign.com/cps/testca (c)05, OU=TFCCS, O=TSG, L=Boston, ST=
      Massachusetts, C=US(members:JBossAdmin,HttpInvoker)
      Public Credential: [
      [
      Version: V3
      Subject: CN=rollin, OU=Terms of use at www.verisign.com/cps/testca (c)05, OU=T
      FCCS, O=TSG, L=Boston, ST=Massachusetts, C=US
      Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
      ===========================================

        • 1. Re: BaseCertLoginModule working, but browser has a 403 in To
          Rollin Crittendon Newbie

          I found that the role allocation appears to behave oddly.

          It looks like the roles are being allocated to "verisign.com/cps/testca (c)05, OU=TFCCS, O=TSG, L=Boston, ST=Massachusetts, C=US". Is this possible?


          2005-10-25 19:21:02,146 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] The supplied certificate matched the certificate in the keystore.
          2005-10-25 19:21:02,146 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] exit: validateCredentail(String, X509Certificate)
          2005-10-25 19:21:02,146 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] User 'CN=rollin, OU=Terms of use at www.verisign.com/cps/testca (c)05, OU=TFCCS, O=TSG, L=Boston, ST=Massachusetts, C=US' authenticated, loginOk=true
          2005-10-25 19:21:02,146 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] exit: login()
          2005-10-25 19:21:02,146 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize, instance=@3177540
          2005-10-25 19:21:02,156 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null
          2005-10-25 19:21:02,156 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/C:/jboss-4.0.3/server/default/conf/props/jmx-console-users.properties, defaults=null
          2005-10-25 19:21:02,156 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[admin, CN=rollin, OU=Terms of use at www.verisign.com/cps/testca (c)05, OU=TFCCS, O=TSG, L=Boston, ST=Massachusetts, C=US]
          2005-10-25 19:21:02,156 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null
          2005-10-25 19:21:02,166 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/C:/jboss-4.0.3/server/default/conf/props/jmx-console-roles.properties, defaults=null
          2005-10-25 19:21:02,166 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[admin, CN=rollin, OU=Terms of use at www.verisign.com/cps/testca (c)05, OU=TFCCS, O=TSG, L=Boston, ST=Massachusetts, C=US]
          2005-10-25 19:21:02,166 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login
          2005-10-25 19:21:02,186 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] commit, loginOk=true
          2005-10-25 19:21:02,186 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] commit, loginOk=true
          2005-10-25 19:21:02,186 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] User: CN=rollin, OU=Terms of use at www.verisign.com/cps/testca (c)05, OU=TFCCS, O=TSG, L=Boston, ST=Massachusetts, C=US is authenticated
          2005-10-25 19:21:02,196 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
          Principal: CN=rollin, OU=Terms of use at www.verisign.com/cps/testca (c)05, OU=TFCCS, O=TSG, L=Boston, ST=Massachusetts, C=US
          Principal: Roles(members)
          Principal: verisign.com/cps/testca (c)05, OU=TFCCS, O=TSG, L=Boston, ST=Massachusetts, C=US(members:JBossAdmin,HttpInvoker)
          Public Credential: [


          My jmx-console-users.properties is as follows.
          # A sample users.properties file for use with the UsersRolesLoginModule
          admin=admin
          CN\=rollin,\ OU\=Terms\ of\ use\ at\ www\.verisign\.com\/cps\/testca\ \(c\)05,\ OU\=TFCCS,\ O\=TSG,\ L\=Boston,\ ST\=Massachusetts,\ C\=US=passwor
          


          My jmx-console-roles.properties is as follows.
          # A sample roles.properties file for use with the UsersRolesLoginModule
          admin=JBossAdmin,HttpInvoker
          CN\=rollin,\ OU\=Terms\ of\ use\ at\ www\.verisign\.com\/cps\/testca\ \(c\)05,\ OU\=TFCCS,\ O\=TSG,\ L\=Boston,\ ST\=Massachusetts,\ C\=US=JBossAdmin,HttpInvoker
          


          Any pointers on this is very much appreciated.

          Rollin

          • 2. Re: BaseCertLoginModule working, but browser has a 403 in To
            Rollin Crittendon Newbie

            I issued my own certificate as a certificate authority and things work.

            It looks like the DN from the trial Verisign certificate might have been causing some odd behavior.