geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Łukasz Budnik <lukasz.bud...@gmail.com>
Subject Re: CLIENT-CERT working but how to make it work with auth-constraint?
Date Sat, 19 Dec 2009 07:12:49 GMT
Hi David,

I'm using geronimo's default server wide realm.

I added the following user: "CN=Lukasz
Budnik,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=PL".

I assigned the above user to admin group.

And here is my geronimo-web.xml:

	<security-realm-name>geronimo-admin</security-realm-name>

	<security>
		<default-principal>
			<principal name="anonymous"
				class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
/>
		</default-principal>
		<role-mappings>
			<role role-name="admin">
				<principal name="admin"
					class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
/>
			</role>
		</role-mappings>
	</security>

thanks,
Łukasz

2009/12/18 David Jencks <david_jencks@yahoo.com>:
> Could you show your security realm configuration and your principal-role
> mapping?
>
> thanks
> david jencks
>
> On Dec 18, 2009, at 2:04 AM, lukasz.budnik@gmail.com wrote:
>
>> Hi there,
>>
>> I'm using G 2.1.3.
>>
>> I have a problem. I can configure mutual authentication. My and server's
>> certificates are validated - no problem at all.
>>
>> The problem starts when I want to use auth-constraint:
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Protected</web-resource-name>
>> <url-pattern>/HiHeyHelloWebServiceService</url-pattern>
>> <http-method>POST</http-method>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>admin</role-name>
>> </auth-constraint>
>> <user-data-constraint>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint>
>> </security-constraint>
>> <login-config>
>> <auth-method>CLIENT-CERT</auth-method>
>> </login-config>
>> <security-role>
>> <role-name>admin</role-name>
>> </security-role>
>>
>> (Plus valid geronimo-web.xml descriptor, I used geronimo-admin server wide
>> realm and I know it works, I tested it using BASIC auth-method).
>>
>> When I use it with client-cert, after SSL handshake, I keep getting HTTP
>> 401 Unauthorised and in Geronimo's log I see:
>>
>> 10:57:40,926 WARN [TomcatGeronimoRealm] Login exception authenticating
>> username
>> "CN=Lukasz Budnik,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=PL"
>> javax.security.auth.login.LoginException
>>
>> the root cause is:
>>
>> Caused by: javax.security.auth.callback.UnsupportedCallbackException:
>> Wrong call
>> back type: class javax.security.auth.callback.NameCallback
>> at org.apache.geronimo.security.realm.providers.CertificateChainCallback
>> Handler.handle(CertificateChainCallbackHandler.java:67)
>>
>>
>> Does it mean in Geronimo you cannot have auth-constraint when using mutual
>> authentication?
>>
>> thanks for any help,
>> Łukasz
>
>

Mime
View raw message