[jboss-user] [Security & JAAS/JBoss] - ClientCertificate + Username/Password Login

Morgy do-not-reply at jboss.com
Tue Nov 25 03:17:54 EST 2008


Hi,

i am trying to to create a Login mechanism that uses ClientCertificates and Username/Password techniques.

What i got right now is a Tomcat check if the Certificate is valid and a login via Username/Password. What i need is a way to actually access the Certificate to not only check its validity, but also its relation to the Username.

Example:

I have a web page named I.com there are Alice and Bob who want access to the private part of the page. Both of them provide valid Usernames and passwords, but Bob stole Alices Certificate and tries to login with that Certificate.

My current implementation submits both to the private area since both provide valid credentials (Alice with Username=Alice, Password=Alice, Certificate=Alice; Bob with Username=Bob, Password=Bob, Certificate=Alice) and the Certficate is not crosschecked with the Username.

Now I need a way to grab the Certificate and check it against the provided username and password, seeing if the person logging in is the person the certificate was made for, so that Bob in the example above would not be submitted, because of the Certificate not matching his other credentials.

Thanks for your help.

Technologies used:

Jboss 4.2.3
JSF 1.2
Java 5

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4191975#4191975

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4191975



More information about the jboss-user mailing list