1 Reply Latest reply on Apr 11, 2003 9:37 AM by didi1976

    JBossSecurityMgrRealm

    didi1976

      Hi,

      are there any intents to implement a working Client Certificate authentication?

      In 3.2 RC4 with tomcat it is not implemented in a working way.

      As far as I can see the autheticate(X509Certificate[]) method always returns null. It does not have any look at the certificates or try to check them.

      I have implemented my own Login Module and set it to be used by the web but it does not get called.

      If I use 3.2 RC4 with Jetty my Login Module is called correctly.

      The main reason for Tomcat is the handling of SSL connections: It allows connections without a client certificate with in the SSL connection and checks the web if this is required. If the auth-method is set to CLIENT-CERT the SSL session is invalidated, set to NeedClientAuth=true and a new handshake is done. Jetty refuses connections without client certificates which leads to the problem that all users need to have client certificates regardless the web page requires them or not.

      The invalidation and re-handshake of the connections leads to an other problem: you need a working SSL implementation which supports this behaviour. The default one of SUN shipped with JDK 1.4.x does not. I have implemented my own socket factory using the API from Wedgetail and used it with Tomcat so I got that part working.

      After all that I ended up on the org.jboss.web.catalina.security.JBossSecurityMgrRealm which now has to check the supplied certificates. This should be done by calling the specified LoginModule but it does not. Instead it simply returns null.

      Regards,
      Dietmar

        • 1. Re: JBossSecurityMgrRealm
          didi1976

          Hi,

          could somebody please change the method in the following way so the login module gets called:

          public Principal authenticate(X509Certificate[] certs)
          {
          SimplePrincipal principal = null;
          Context securityCtx = getSecurityContext();
          if( securityCtx == null )
          {
          return null;
          }

          try
          {
          // Get the JBoss security manager from the ENC context
          AuthenticationManager securityMgr = (AuthenticationManager) securityCtx.lookup("securityMgr");
          principal = new SimplePrincipal(certs[0].getSerialNumber() + " " + certs[0].getIssuerDN());
          if( securityMgr.isValid(principal, certs) )
          {
          category.log(XLevel.TRACE, "User: "+principal+" is authenticated");
          SecurityAssociation.setPrincipal(principal);
          SecurityAssociation.setCredential(certs);
          }
          else
          {
          category.log(XLevel.TRACE, "User: "+principal+" is NOT authenticated");
          principal = null;
          }
          }
          catch(NamingException e)
          {
          category.error("Error during authenticate", e);
          }
          return principal;
          }

          Did not do a lot of tests till now due to a lack of time but this should fix it for the moment.

          Thanks,
          Didi