2 Replies Latest reply on Jul 13, 2011 3:00 PM by berfin

    Validating login/password AND Client Certificate

    Ramesh Raghavan Newbie

      I want to let the users type in their login & password to log into my system. But at the same time, I would like to validate the client certificate also in addition to the login/password.

      Currently, if I use only the CLIENT_CERT, there is no way to force the user to type in their username password. I see this as a security risk on a computer open to *many*. So, I want to force users to login using their login/password. There seems to be no way to do this in JBoss, as far as I know.

      Please suggest a solution that can be used in this scenario.

        • 1. Re: Validating login/password AND Client Certificate
          Ramesh Raghavan Newbie

          Here is what I did to solve the issue.

          1. I extended org.jboss.security.auth.spi.BaseCertLoginModule and overriding the method getAliasAndCert() with my own implementation.

          2. Use my extended LoginModule in place of BaseCertLoginModule in the login-config.xml file.

          3. In the login-config.xml file use both the username/password authentication login module and the subclassed BaseCertLoginModule

          4. In jboss-service.xml find the following entry
          <mbean code="org.jboss.security.plugins.JaasSecurityManagerService"

          In that change the values of the properties "DefaultCacheTimeout" and "DefaultCacheResolution" to zero. This is to disable the caching of security credentials, so that your certificate will be validated properly without caching.

          I hope this will be helpful for anyone. If you need further details on my implementation of the getAliasAndCert() method, let me know. I will post the relevent portions of the code in the forum.

          • 2. Re: Validating login/password AND Client Certificate
            berfin Newbie

            Hi Ramesh,

            I have same issue to solve, could you please post the code of the getAliasAndCert() method, it would be very helpfull. thanks