[jboss-user] [Security & JAAS/JBoss] - Re: Mixing CLIENT-CERT and BASIC authentication
fthurber
do-not-reply at jboss.com
Thu Mar 26 13:58:43 EDT 2009
"alexanders" wrote : Not sure this question is in scope of the forum.
|
| Two things you need to describe in your web.xml:
| 1) Security constraint mapped to some url pattern and requires some role.
| 2) Role mapped to security domain.
|
| So you need to configure your web.xml as following:
| Two different security constraints mapped each to its url pattern
| e.g.
| <url-pattern>/*_cert_requred_*</url-pattern>
| requires some role: "CertProtected"
| <url-pattern>/*_passwd_requred_*</url-pattern>
| requires some role: "PasswordProtected"
|
| Best way to do this - separate your app to subcontexts:
| <url-pattern>/cert_requred/*</url-pattern>
| <url-pattern>/passwd_requred/*</url-pattern>
|
| Then you need to map each role to its JAAS domain.
|
| If you are mapping some security constraints to one url pattern (/*)... The result is depending on implementation. In best case you will got working the last constraint.
The key seems to be "map each role to its JAAS domain"; I cannot see how to do that. The choice of auth-method, either CLIENT-CERT or BASIC is made in the login-config element, but that is not mapped to a specific role, but it does seem to be mapped to a realm-name. Is there a mapping between realms and roles?
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4221388#4221388
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4221388
More information about the jboss-user
mailing list