[jboss-user] [JBoss Web Services] - Re: @WS with CLIENT-CERT throws Invalid HTTP server response [401] - Unauthorized on client side

Claudio Miranda do-not-reply at jboss.com
Fri Mar 16 10:54:49 EDT 2012 

Claudio Miranda [https://community.jboss.org/people/Claudio4J] created the discussion

"Re: @WS with CLIENT-CERT throws Invalid HTTP server response [401] - Unauthorized on client side"

To view the discussion, visit: https://community.jboss.org/message/724358#724358

--------------------------------------------------------------
> from the service side, confirm that there is a certificate that can be used by the service and that the trust store contains the issuing certificate authority 
> for the certificate used by the client

The server keystore jaas-ms-ejb-ear.ear/jaas-ms-ejb-ws-1.0.0.jar/server_jbossws.jks
has 2 entries
PrivateKeyEntry: server_jbossws
trustedCertEntry: client_jbossws

The server truststore has 2 public keys: server_jbossws and client_jbossws

You can see it in details from the original post.

> from the client side, confifrm  that there is a certificate that can be used by the client and that the trust store contains the issuing certificate authority for 
> the certificate used by the service

The client keystore src/META-INF/client_jbossws.jks
has 2 entries
PrivateKeyEntry: client_jbossws
trustedCertEntry: server_jbossws

The client truststore has 2 public keys: server_jbossws and client_jbossws

You can see it in details from the original post.


> from login-config.xml of jboss, what does UserCertPolicy look like? 

The security-domain setting is in the file *jaas-ms-ejb-ear.ear/lib/jaas-ms-1.1.4.jar/META-INF/ms-auth-jboss-beans.xml*

Its contents are

> <deployment xmlns="urn:jboss:bean-deployer:2.0">
> 
>     <application-policy name="*UserCertPolicy*" xmlns="urn:jboss:security-beans:1.0">
>         <authentication>
>             <login-module code="*br.gov.saude.jaas.spi.UserCertLoginModule*" flag="required"></login-module>
>         </authentication>
>     </application-policy>
> </deployment>

> And what does this class look like? what does it do? br.com.myapp.jaas.spi.SubjectMapper


Accordingly to [1] I want to extract the username from certificate to authenticate.
> public class SubjectMapper extends SubjectCNMapping {
> 
>     public Principal toPrinicipal(X509Certificate[] arg0) {
>         Principal prinicipal = super.toPrinicipal(arg0);
>         return prinicipal;
>     }
> 

Thank you for the help.

1.  https://community.jboss.org/docs/DOC-13538#X509_certificate_token https://community.jboss.org/wiki/JBossWS-WS-SecurityOptions#X509_certificate_token
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/724358#724358]

Start a new discussion in JBoss Web Services at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2044]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20120316/772fe5d7/attachment.html

More information about the jboss-user mailing list