3 Replies Latest reply on Sep 6, 2011 4:23 PM by ghilling

Alternative Verifiers instead of AnyCertVerifier

fthurber Apr 1, 2009 5:21 PM

Are there any other Certificate Verifers for BaseCertLoginModule besides the AnyCertVerifier?

AnyCertVerifier is the only one I saw in the source code, but it is too permissive. It does not even check the expiration date.

If no verifier is specified, BaseCertLoginModule does the verification, but it imposes an odious requirement for the alias name (it has to be the DN or CN from the certificate).

1. Re: Alternative Verifiers instead of AnyCertVerifier

anil.saldhana Apr 6, 2009 2:50 AM (in response to fthurber)

AnyCertVerifier was provided as a template that you can use to write your own custom verifier.
Actions
2. Re: Alternative Verifiers instead of AnyCertVerifier

fthurber Apr 9, 2009 10:00 AM (in response to fthurber)

Ah, yes, when I was reading the source, it seemed like a good place to start writing a custom module. I do not have time to do this in the current schedule, but will do it for the next cycle. Thanks Anil.

Note: One thing that helped when using this verifier and the BaseCertLoginModule was changing the SubjectDNMapping to the obscure SubjectCNMapping in the JBossSecurityMgrRealm in server.xml. In this way I only had to load the CN instead of the long, odious DN into the user-roles.properties file.
Actions
3. Re: Alternative Verifiers instead of AnyCertVerifier

ghilling Sep 6, 2011 4:23 PM (in response to anil.saldhana)

One additional question: is using the AnyCertVerifier not actually safe for web apps because the tomcat ssl handshake will do the authentication in web applications? And also check the expiration?
Actions

Go to original post