geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <>
Subject [jira] Created: (GERONIMO-5619) CertificatePropertiesFileLoginModule only works with tomcat, not jetty
Date Tue, 21 Sep 2010 22:31:33 GMT
CertificatePropertiesFileLoginModule only works with tomcat, not jetty

                 Key: GERONIMO-5619
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
          Components: security
    Affects Versions: 3.0
            Reporter: David Jencks
            Assignee: David Jencks
             Fix For: 3.0

CertificatePropertiesFileLoginModule uses CertificateCallback.  This is supported by tomcat
but not jetty, which is more adapted to the jaspic password validation callback and which
converts the x500 principal to a "name" and expects a NameCallback.

We can easily modify the LoginModule to handle both.  I can't decide if this is a security
risk since this login module does not check passwords at all and just verifies that the principal
name is known.  It might be possible to misconfigure security so as to use basic or form auth
with this login module and ignore the supplied password.

I'm going to go ahead and apply the change.  We can always roll it back.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message