[jboss-dev-forums] [JBoss ESB Development] - BaseCertLoginModule Does Not Work?

h.wolffenbuttel do-not-reply at jboss.com
Thu Oct 8 08:25:50 EDT 2009 

I changed the org.jboss.soa.esb.services.security.auth.login.CertificateLoginModule to org.jboss.security.auth.spi.BaseCertLoginModule just to see if i can get the authentication working.

I have placed the following application-policy in login-config.xml:

  |     <application-policy name = "CertLogin">
  |        <authentication>
  |         <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule"
  |           flag = "required">
  |           <module-option name="password-stacking">false</module-option>
  |           <module-option name="securityDomain">java:/jaas/CertLogin</module-option>
  |           <module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option>
  |        </login-module>
  |        <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
  |           flag = "required">
  |           <module-option name="password-stacking">false</module-option>
  |           <module-option name="usersProperties">props/certlogin-users.properties</module-option>
  |           <module-option name="rolesProperties">props/certlogin-roles.properties</module-option>
  |        </login-module>
  |        </authentication>
  |     </application-policy>
  | 

When authentication takes place a few things go wrong:

- The name of the Certificate Should be the value of CN but it's the complete dname value => "CN=test, OU=test, O=test, L=test, ST=test, C=NL". 
- If do not declare a org.jboss.security.auth.certs.AnyCertVerifier (always true) for my Certificate validation, the validation uses the dname as an alias to get a Certificate from my Truststore. Because an alias is not the same as a dname this never returns a Certificate from my Truststore. So my Certificate is never valid this way.

Am I using the classes the wrong way? Or is this the same issue as the problem with the org.jboss.soa.esb.services.security.auth.login.CertificateLoginModule?

Regards,

Hans

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4259357#4259357

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4259357

More information about the jboss-dev-forums mailing list