geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: CLIENT-CERT working but how to make it work with auth-constraint?
Date Fri, 18 Dec 2009 16:46:31 GMT
Could you show your security realm configuration and your principal- 
role mapping?

thanks
david jencks

On Dec 18, 2009, at 2:04 AM, lukasz.budnik@gmail.com wrote:

> Hi there,
>
> I'm using G 2.1.3.
>
> I have a problem. I can configure mutual authentication. My and  
> server's certificates are validated - no problem at all.
>
> The problem starts when I want to use auth-constraint:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Protected</web-resource-name>
> <url-pattern>/HiHeyHelloWebServiceService</url-pattern>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admin</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> </login-config>
> <security-role>
> <role-name>admin</role-name>
> </security-role>
>
> (Plus valid geronimo-web.xml descriptor, I used geronimo-admin  
> server wide realm and I know it works, I tested it using BASIC auth- 
> method).
>
> When I use it with client-cert, after SSL handshake, I keep getting  
> HTTP 401 Unauthorised and in Geronimo's log I see:
>
> 10:57:40,926 WARN [TomcatGeronimoRealm] Login exception  
> authenticating username
> "CN=Lukasz Budnik,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=PL"
> javax.security.auth.login.LoginException
>
> the root cause is:
>
> Caused by:  
> javax.security.auth.callback.UnsupportedCallbackException: Wrong call
> back type: class javax.security.auth.callback.NameCallback
> at  
> org.apache.geronimo.security.realm.providers.CertificateChainCallback
> Handler.handle(CertificateChainCallbackHandler.java:67)
>
>
> Does it mean in Geronimo you cannot have auth-constraint when using  
> mutual authentication?
>
> thanks for any help,
> Ɓukasz


Mime
View raw message