[jboss-user] [Security & JAAS/JBoss] - BaseCertLoginModule fails to pick up client certificate

[jaroos]

L.S.,

I'm a relative newbie to JBoss. One of our applications exposes a web services interface. I'm trying to deploy the J2EE implementation of this application on JBoss. As part of this I'm trying to configure JBoss to require client certificates for the web service calls and to pass information from the certificate as the Principal to the application.

I've done the following:
- configure Tomcat for SSL. This works fine, regardless of the value of the clientAuth attribute.
- define a (JAAS) securitydomain in conf/jboss-service.xml
- define an application-policy in conf/login-config.xml, which contains the BaseCertLoginModule as the first login-module. This module refers to the securitydomain mentioned above
- add a reference to the securitydomain in META-INF\jboss.xml in the jar that exposes the EJBs which make up the web service
- define declarative security in the ejb-jar.xml

When I try to access the web service (I'm using a .NET client - not sure whether this might be relevant) I see the following in the JBoss logs (I've set logging of the security modules to the highest possible level):

2007-08-01 11:12:20,705 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] initialize, instance=@20704708
  | 2007-08-01 11:12:20,705 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] securityDomain=java:/jaas/ITPForms-jboss
  | 2007-08-01 11:12:20,721 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] found domain: org.jboss.security.plugins.JaasSecurityDomain
  | 2007-08-01 11:12:20,721 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] exit: initialize(Subject, CallbackHandler, Map, Map)
  | 2007-08-01 11:12:20,721 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] enter: login()
  | 2007-08-01 11:12:20,721 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] login
  | 2007-08-01 11:12:20,721 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] enter: getAliasAndCert()
  | 2007-08-01 11:12:20,721 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] exit: getAliasAndCert()
  | 2007-08-01 11:12:20,721 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] Authenticating as unauthenticatedIdentity=null
  | 2007-08-01 11:12:20,721 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] enter: validateCredentail(String, X509Certificate)
  | 2007-08-01 11:12:20,721 WARN  [org.jboss.security.auth.spi.BaseCertLoginModule] Domain, KeyStore, or cert is null. Unable to validate the certificate.
  | 2007-08-01 11:12:20,721 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] The supplied certificate DID NOT match the certificate in the keystore.
  | 2007-08-01 11:12:20,721 TRACE [org.jboss.security.auth.spi.BaseCertLoginModule] exit: validateCredentail(String, X509Certificate)
  | 2007-08-01 11:12:20,721 DEBUG [org.jboss.security.auth.spi.BaseCertLoginModule] Bad credential for alias=null

I've had a quick look at the BaseCertLoginModule implementation. It looks like its callback handler fails to retrieve the client certificate from the message.

As an exercise, I've tried to do the same for a simple web archive. This seems to work perfectly. Is there any restriction w.r.t. client authentication and EJBs/web services?

Thank you in advance,
Johan.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4069539#4069539

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4069539