[jboss-jira] [JBoss JIRA] (AS7-2801) Certificate to principal mapping
Yves Peter (Issue Comment Edited) (JIRA)
jira-events at lists.jboss.org
Sun Nov 27 07:24:41 EST 2011
[ https://issues.jboss.org/browse/AS7-2801?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12645727#comment-12645727 ]
Yves Peter edited comment on AS7-2801 at 11/27/11 7:24 AM:
-----------------------------------------------------------
One way of solving this would be to make use of a the principal mapping-modules inside the JBossWebRealm. Mapping modules for this already exist:
http://anonsvn.jboss.org/repos/picketbox/trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/mapping/providers/principal/SubjectCNMapper.java
http://anonsvn.jboss.org/repos/picketbox/trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/mapping/providers/principal/SubjectDNMapper.java
I think the mapping should happen before any authentication modules are run, so you can use the mapped principal in the modules.
This solution and the modules could also be used for remote ejb authentication, so it works the same way for both cases.
was (Author: yves.p):
One way of solving this would be to make use of a the principal mapping-modules inside the JBossWebRealm. Mapping modules for this already exist: http://anonsvn.jboss.org/repos/picketbox/trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/mapping/providers/principal/SubjectCNMapper.java
and
http://anonsvn.jboss.org/repos/picketbox/trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/mapping/providers/principal/SubjectDNMapper.java
I think the mapping should happen before any authentication modules are run, so you can use the mapped principal in the modules.
This solution and the modules could also be used for remote ejb authentication, so it works the same way for both cases.
> Certificate to principal mapping
> --------------------------------
>
> Key: AS7-2801
> URL: https://issues.jboss.org/browse/AS7-2801
> Project: Application Server 7
> Issue Type: Feature Request
> Components: Security, Web
> Affects Versions: 7.1.0.Beta1
> Reporter: Yves Peter
> Assignee: Anil Saldhana
>
> In JBoss 7 it is no longer possible to configure how a certificate is mapped to a principal using client-cert authentication. The dynamic code was removed in JBoss 7 in the JBossWebRealm and is now hard coded to use the SubjectDNMapping:
> http://grepcode.com/file/repository.jboss.org/nexus/content/repositories/releases/org.jboss.jbossas/jboss-as-tomcat/6.1.0.Final/org/jboss/web/tomcat/security/JBossWebRealm.java
> http://grepcode.com/file/repository.jboss.org/nexus/content/repositories/releases/org.jboss.as/jboss-as-web/7.0.1.Final/org/jboss/as/web/security/JBossWebRealm.java
> Also the JBossWebRealm does only consider role- but no principal-mapping modules.
> We use this for authentication of users against an ldap server where the dn of the user doesn't match the dn in the ldap server. Also it's useful for display purpose in an application.
> An example and some further information is in the linked user form thread.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list