Version 3

    JBossSecurityMgrRealm : Custom Tomcat Security Realm

    The JBossSecurityMgrRealm is an implementation of the implementation of the tomcat Realm. The Realm implementation handles authentication and authorization using the JBossSX security framework. It relies on the JNDI ENC namespace setup by the AbstractWebContainer. In particular, it uses the java:comp/env/security subcontext to access the security manager interfaces for authorization and authenticaton.


    The attributes that may be set on the realm in the server.xml include:

    • certificatePrincipal : the class name of the interface used for mapping X509 cert chains to a Princpal that will be passed to the authentication layer as the caller identity. This is the principal that login modules associated with the web deployment security domain will see.


    The CertificatePrincipal Interface

    The interface is used by the web container to transform the SSL cert chain into a instance to use as the caller identity. The CertificatePrincipal interface is:


     * JBoss, Home of Professional Open Source
     * Distributable under LGPL license.
     * See terms of license at
    /** An interface for converting an X509 cert to a Principal
     * @author
     * @version $Revision: $
    public interface CertificatePrincipal
        * Return the Principal associated with the specified chain of X509
        * client certificates.  If there is none, return <code>null</code>.
        * @param certs Array of client certificates, with the first one in
        * the array being the certificate of the client itself.
       public Principal toPrinicipal(X509Certificate[] certs);


    The current bundled implementations include:

    • : implementation that uses the client cert SubjectDN as the principal as obtained from certs{FOOTNOTE DEF 0 0}.getSubjectDN().

    • : implementation that uses the client certs{FOOTNOTE DEF 0 0}.getSubjectDN() CN='...' value as the name of the instance.