Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 81243 invoked from network); 21 Sep 2010 22:38:20 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 21 Sep 2010 22:38:20 -0000 Received: (qmail 75469 invoked by uid 500); 21 Sep 2010 22:38:19 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 75416 invoked by uid 500); 21 Sep 2010 22:38:18 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 75409 invoked by uid 99); 21 Sep 2010 22:38:18 -0000 Received: from Unknown (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 21 Sep 2010 22:38:18 +0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [98.136.44.58] (HELO smtp103.prem.mail.sp1.yahoo.com) (98.136.44.58) by apache.org (qpsmtpd/0.29) with SMTP; Tue, 21 Sep 2010 22:37:55 +0000 Received: (qmail 2732 invoked from network); 21 Sep 2010 22:37:34 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=DKIM-Signature:Received:X-Yahoo-SMTP:X-YMail-OSG:X-Yahoo-Newman-Property:From:Content-Type:Content-Transfer-Encoding:Subject:Date:Message-Id:To:Mime-Version:X-Mailer; b=aeaf3cY+2IrccxpPPn/5npAIcnEdaUgwwboX33lojpRXkQc7hxB6SLh4sUsvcwOjV2efnmBeOYaUPFSqEpZmrzivPeubkcb87BxvgUyMhtEXiFE9LO4YvZKP8J5cmvqHWn/LO7N62YOtuzYPQ8GHGUDal7CIU0hQLRAU69Cf66M= ; DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1285108654; bh=Jda3HnFO18GZd2pg5er5UYgPIO40IRjKWt4xqpZAITQ=; h=Received:X-Yahoo-SMTP:X-YMail-OSG:X-Yahoo-Newman-Property:From:Content-Type:Content-Transfer-Encoding:Subject:Date:Message-Id:To:Mime-Version:X-Mailer; b=Odu2CtKcsPFKJX1ir2CAzPXPBjygd2uk1kV2EP9YlFYPX2hLSSoKkVYKiXN5U/wtW90UjlTslT9i2cgiLJPcS6ASOgJbNZvfl/q/tW1yuXqWMz7BUw4deLH3zjf7RqsrL/q+LVRcg3wlzIlyo8596wPel6rjYjvx2mMPbQNZahs= Received: from [10.0.1.4] (david_jencks@76.76.148.215 with plain) by smtp103.prem.mail.sp1.yahoo.com with SMTP; 21 Sep 2010 15:37:34 -0700 PDT X-Yahoo-SMTP: .9oIUzyswBANsYgUm_5uPui0skTnzGJXJQ-- X-YMail-OSG: M0LXvfAVM1l1b3W4h_ZpwOO7nWp2AR.Cjs4n1GhjEC1PUo8 7cU0xUMelTLpOE3yv3i31IGL3wQGBMW.jl52SEsLJ14OMHS60.INl2Q4RukB YmFtk8P08APTsmzwhHOtQSKPfjfGV5BqGj1Osh0Sai0F83Lk81jcMcp8nHG0 uXAONA_z28NViaChZZSNvGp7G.5yXxdoux8vYxvq.rS0yWWWIbyosftJw5b5 zvZKUSHdqwZTTfOvz171EXrTk0hqP21D0JYtP1.3tVerT7qNuwTjBMUk0wQg IzgMm3DK4vMKg6fg03ODTy0U- X-Yahoo-Newman-Property: ymail-3 From: David Jencks Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: Possible questionable change in CertificatePropertiesFileLoginModule Date: Tue, 21 Sep 2010 15:37:33 -0700 Message-Id: <98BB4339-EB55-46BA-BFC5-917E239D4734@yahoo.com> To: "Geronimo Dev List \(JIRA\)" Mime-Version: 1.0 (Apple Message framework v1081) X-Mailer: Apple Mail (2.1081) X-Virus-Checked: Checked by ClamAV on apache.org See GERONIMO-5619, rev 999674 (trunk) Briefly, I've modified CertificatePropertiesFileLoginModule so it works = with either a CertificateCallback (used by tomcat) or a NameCallback = (used by jetty). In either case we just check that we know about the = x500 principal name, there is no password checking. (we rely on ssl to = validate the client cert). Does anyone think this is an undesirable security problem? It might be = possible to misconfigure security so that e.g. basic or form auth ended = up using this login module and just checked the user name and not the = password. I don't think this is sufficiently likely to worry about, = since these principal names are ldap goo (ou=3D.....,) and I would = expect any such misconfiguration to be immediately evident in testing. thanks david jencks