Version 5

    Mapping the SSL X509Certificate{FOOTNOTE DEF  } to a Principal

    The principal passed to the security layer for authentication when CLIENT-CERT authentication is enabled is a function of the client cert. To control what name is extracted from the cert you can specify a CertificatePrincipal:

    /** An interface for converting an X509 cert to a Principal
    public interface CertificatePrincipal
        * Return the Principal associated with the specified chain of X509
        * client certificates.  If there is none, return <code>null</code>.
        * @param certs Array of client certificates, with the first one in
        * the array being the certificate of the client itself.
       public Principal toPrinicipal(X509Certificate[] certs);


    Implementations bundled with jboss include:

    • - implementation that builds the principal name based on the cert serialNumber and issuerDN

    • - implementation that uses the client cert SubjectDN CN='...' element as the principal.

    • - implementation that uses the client cert SubjectDN as the principal.

    • (4.0.4+) - implementation that uses the client cert SubjectX500Principal as the principal.


    The CertificatePrincipal is configured on the JBossWeb container by editing the jbossweb-tomcat.sar/server.xml and setting the certificatePrincipal attribute on the configured Realm:

             <!-- The JAAS based authentication and authorization realm implementation
             that is compatible with the jboss 3.2.x realm implementation.
             - certificatePrincipal : the class name of the
             used for mapping X509[] cert chains to a Princpal.
             <Realm className=""
             <!-- A subclass of JBossSecurityMgrRealm that uses the authentication
             behavior of JBossSecurityMgrRealm, but overrides the authorization
             checks to use JACC permissions with the current
             to determine authorized access.
             <Realm className=""