2 Replies Latest reply on Aug 9, 2011 1:51 PM by Jack Johnson

    Combine FORM and CLIENT-CERT authentication

    Joan Pujol Espinar Newbie


      In our application we want to try to authenticate users first with a client certificate and if it isn't possible use a typical user/password form.

      The problem is that I don't know how to do that in the web.xml because in the <login config> of webm.xml I can only set one auth-method (see at the end).

      The documentation says:

      You can chain together multiple LoginModules to allow for more than one authentication technology to participate in the authentication process. For example, one LoginModule may perform username/password-based authentication, while another may interface to hardware devices such as smart card readers or biometric authenticators.

      And its true, I can have multiple loginmodules without problem. But in the web.xml how can I combine certificates with user/password?

      Code from web.xml:


      A lot of thanks in advance

        • 1. Re: Combine FORM and CLIENT-CERT authentication
          Joan Pujol Espinar Newbie

          I reply myself for the benefit of the comunity:

          A workarround that I found is to use two applications:

          You have to use two applications in the same security realm.
          In one you put FORM autentification and in the other you put CERT-CLIENT authentication.

          One application is the one you have developed and the other simply has a index.jsp that redirect to the other. That jsp has to be protected. This way when you try to access the jsp, authentification is done and credentials are put in the session and how the two apps share the same security realm you are logged in the other application.


          • 2. Re: Combine FORM and CLIENT-CERT authentication
            Jack Johnson Newbie

            I've tried to implement this, but have run into trouble.  Can anyone answer some basic questions about what the previous poster did that worked?  I have an existing application that uses FORM authentication, and we're planning on adding the ability for some users to log in with PKI certificates.


            My (existing) application users FORM as its auth-type. I've created a new WAR who's sole content is a Servlet that redirects to the my main application.  This WAR uses the same security-domain (configured in the new jboss-web.xml file).  In my new web.xml file, I apply the same security-constraints and security-role, but have a different auth-method (CLIENT-CERT).  I also added a new login-module to the security domain, so that I have a chain of 2 login modules in a shared application-policy - one that will authenticate a user with a valid certificate, and one that will validate a user with a username /password.


            The two parts of my app (the old application, and the new Servlet) both successfully use the main appication-policy, and the both are hitting the LoginModules in the debugger.  But when the CLIENT-CERT authorized Servlet forwards a user to the FORM authorized main page, the user is prompted to relogin.


            Does anybody have any advice on what I might be doing wrong?  I can post code / xml samples if it would help.