geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lukasz.bud...@gmail.com
Subject CLIENT-CERT working but how to make it work with auth-constraint?
Date Fri, 18 Dec 2009 10:04:57 GMT
Hi there,

I'm using G 2.1.3.

I have a problem. I can configure mutual authentication. My and server's  
certificates are validated - no problem at all.

The problem starts when I want to use auth-constraint:

<security-constraint>
<web-resource-collection>
<web-resource-name>Protected</web-resource-name>
<url-pattern>/HiHeyHelloWebServiceService</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>

(Plus valid geronimo-web.xml descriptor, I used geronimo-admin server wide  
realm and I know it works, I tested it using BASIC auth-method).

When I use it with client-cert, after SSL handshake, I keep getting HTTP  
401 Unauthorised and in Geronimo's log I see:

10:57:40,926 WARN [TomcatGeronimoRealm] Login exception authenticating  
username
"CN=Lukasz Budnik,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=PL"
javax.security.auth.login.LoginException

the root cause is:

Caused by: javax.security.auth.callback.UnsupportedCallbackException: Wrong  
call
back type: class javax.security.auth.callback.NameCallback
at org.apache.geronimo.security.realm.providers.CertificateChainCallback
Handler.handle(CertificateChainCallbackHandler.java:67)


Does it mean in Geronimo you cannot have auth-constraint when using mutual  
authentication?

thanks for any help,
Ɓukasz
Mime
View raw message