User development, A new message was posted in the thread "Client Cert Authentication in 5.1.0": http://community.jboss.org/message/530855#530855 Author : dfisher Profile : http://community.jboss.org/people/dfisher Message: -------------------------------------------------------------- I'm upgrading from version 4.2.3 to 5.1.0 and I'm having trouble getting SSL client authentication and JAAS to work correctly. My session beans are annotated as:   @Stateless@SecurityDomain("ClientCertDomain")@WebContext(  transportGuarantee = "CONFIDENTIAL",  authMethod = "CLIENT-CERT")     My login-config.xml contains the following entry:   <application-policy name="ClientCertDomain">    <authentication>       <login-module code="org.jboss.security.auth.spi.DatabaseCertLoginModule"                    flag="sufficient">        <module-option name="securityDomain">ClientCertDomain</module-option>         .....      </login-module>     </authentication>  </application-policy>     Invocations of the web service fail with: faultString: (401)Unauthorized The logs indicate that the security domain specified in the stateless session bean is "".   Application Policy not obtained for domain=. Trying to obtain the App policy for the default domain of the layer:WEB     This is apparently related to this bug: https://jira.jboss.org/jira/browse/JBAS-7037However, I cannot get the workaround to work.   Is the best course of action to attempt to update the jars in the JBoss 5.1.0 distribution? Or is there another/better way to configure client cert based authorization?   (We can't use WS-Security yet, our clients don't support it.) -------------------------------------------------------------- To reply to this message visit the message page: http://community.jboss.org/message/530855#530855