2 Replies Latest reply on Mar 26, 2009 1:58 PM by Frederick Thurber

    Mixing CLIENT-CERT and BASIC authentication

    Frederick Thurber Newbie


      My war file has two types of servlets. I would like to authenticate one group with client-cert and the other type with basic authentication. [They both live under a context-root of "/servlet" as defined in jboss-web.xml] I did not see anything obvious in the web.xml.

      Is this possible to do? Or do I need to split my war file and use different context roots such as /servlet-cert /servlet-basic? Unfortunately this split, as with many splits, would be painful.

        • 1. Re: Mixing CLIENT-CERT and BASIC authentication
          Alex Sorkin Newbie

          Not sure this question is in scope of the forum.

          Two things you need to describe in your web.xml:
          1) Security constraint mapped to some url pattern and requires some role.
          2) Role mapped to security domain.

          So you need to configure your web.xml as following:
          Two different security constraints mapped each to its url pattern
          e.g.
          <url-pattern>/*_cert_requred_*</url-pattern>
          requires some role: "CertProtected"
          <url-pattern>/*_passwd_requred_*</url-pattern>
          requires some role: "PasswordProtected"

          Best way to do this - separate your app to subcontexts:
          <url-pattern>/cert_requred/*</url-pattern>
          <url-pattern>/passwd_requred/*</url-pattern>

          Then you need to map each role to its JAAS domain.

          If you are mapping some security constraints to one url pattern (/*)... The result is depending on implementation. In best case you will got working the last constraint.

          • 2. Re: Mixing CLIENT-CERT and BASIC authentication
            Frederick Thurber Newbie

             

            "alexanders" wrote:
            Not sure this question is in scope of the forum.

            Two things you need to describe in your web.xml:
            1) Security constraint mapped to some url pattern and requires some role.
            2) Role mapped to security domain.

            So you need to configure your web.xml as following:
            Two different security constraints mapped each to its url pattern
            e.g.
            <url-pattern>/*_cert_requred_*</url-pattern>
            requires some role: "CertProtected"
            <url-pattern>/*_passwd_requred_*</url-pattern>
            requires some role: "PasswordProtected"

            Best way to do this - separate your app to subcontexts:
            <url-pattern>/cert_requred/*</url-pattern>
            <url-pattern>/passwd_requred/*</url-pattern>

            Then you need to map each role to its JAAS domain.

            If you are mapping some security constraints to one url pattern (/*)... The result is depending on implementation. In best case you will got working the last constraint.



            The key seems to be "map each role to its JAAS domain"; I cannot see how to do that. The choice of auth-method, either CLIENT-CERT or BASIC is made in the login-config element, but that is not mapped to a specific role, but it does seem to be mapped to a realm-name. Is there a mapping between realms and roles?