From user-return-14300-apmail-geronimo-user-archive=geronimo.apache.org@geronimo.apache.org Fri Dec 18 13:10:02 2009 Return-Path: Delivered-To: apmail-geronimo-user-archive@www.apache.org Received: (qmail 12592 invoked from network); 18 Dec 2009 13:10:02 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 18 Dec 2009 13:10:02 -0000 Received: (qmail 40341 invoked by uid 500); 18 Dec 2009 13:10:01 -0000 Delivered-To: apmail-geronimo-user-archive@geronimo.apache.org Received: (qmail 40287 invoked by uid 500); 18 Dec 2009 13:10:00 -0000 Mailing-List: contact user-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: user@geronimo.apache.org List-Id: Delivered-To: mailing list user@geronimo.apache.org Delivered-To: moderator for user@geronimo.apache.org Received: (qmail 94013 invoked by uid 99); 18 Dec 2009 10:05:26 -0000 X-ASF-Spam-Status: No, hits=-1.2 required=5.0 tests=AWL,BAYES_00,HTML_MESSAGE,MIME_BASE64_TEXT X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of lukasz.budnik@gmail.com designates 209.85.219.148 as permitted sender) MIME-Version: 1.0 Message-ID: <001485e9abf33fecc4047afddff9@google.com> Date: Fri, 18 Dec 2009 10:04:57 +0000 Subject: CLIENT-CERT working but how to make it work with auth-constraint? From: lukasz.budnik@gmail.com To: user@geronimo.apache.org Content-Type: multipart/alternative; boundary=001485e9abf33fec97047afddff6 --001485e9abf33fec97047afddff6 Content-Type: text/plain; charset=ISO-8859-2; format=flowed; delsp=yes Content-Transfer-Encoding: base64 SGkgdGhlcmUsDQoNCkknbSB1c2luZyBHIDIuMS4zLg0KDQpJIGhhdmUgYSBwcm9ibGVtLiBJIGNh biBjb25maWd1cmUgbXV0dWFsIGF1dGhlbnRpY2F0aW9uLiBNeSBhbmQgc2VydmVyJ3MgIA0KY2Vy dGlmaWNhdGVzIGFyZSB2YWxpZGF0ZWQgLSBubyBwcm9ibGVtIGF0IGFsbC4NCg0KVGhlIHByb2Js ZW0gc3RhcnRzIHdoZW4gSSB3YW50IHRvIHVzZSBhdXRoLWNvbnN0cmFpbnQ6DQoNCjxzZWN1cml0 eS1jb25zdHJhaW50Pg0KPHdlYi1yZXNvdXJjZS1jb2xsZWN0aW9uPg0KPHdlYi1yZXNvdXJjZS1u YW1lPlByb3RlY3RlZDwvd2ViLXJlc291cmNlLW5hbWU+DQo8dXJsLXBhdHRlcm4+L0hpSGV5SGVs bG9XZWJTZXJ2aWNlU2VydmljZTwvdXJsLXBhdHRlcm4+DQo8aHR0cC1tZXRob2Q+UE9TVDwvaHR0 cC1tZXRob2Q+DQo8L3dlYi1yZXNvdXJjZS1jb2xsZWN0aW9uPg0KPGF1dGgtY29uc3RyYWludD4N Cjxyb2xlLW5hbWU+YWRtaW48L3JvbGUtbmFtZT4NCjwvYXV0aC1jb25zdHJhaW50Pg0KPHVzZXIt ZGF0YS1jb25zdHJhaW50Pg0KPHRyYW5zcG9ydC1ndWFyYW50ZWU+Q09ORklERU5USUFMPC90cmFu c3BvcnQtZ3VhcmFudGVlPg0KPC91c2VyLWRhdGEtY29uc3RyYWludD4NCjwvc2VjdXJpdHktY29u c3RyYWludD4NCjxsb2dpbi1jb25maWc+DQo8YXV0aC1tZXRob2Q+Q0xJRU5ULUNFUlQ8L2F1dGgt bWV0aG9kPg0KPC9sb2dpbi1jb25maWc+DQo8c2VjdXJpdHktcm9sZT4NCjxyb2xlLW5hbWU+YWRt aW48L3JvbGUtbmFtZT4NCjwvc2VjdXJpdHktcm9sZT4NCg0KKFBsdXMgdmFsaWQgZ2Vyb25pbW8t d2ViLnhtbCBkZXNjcmlwdG9yLCBJIHVzZWQgZ2Vyb25pbW8tYWRtaW4gc2VydmVyIHdpZGUgIA0K cmVhbG0gYW5kIEkga25vdyBpdCB3b3JrcywgSSB0ZXN0ZWQgaXQgdXNpbmcgQkFTSUMgYXV0aC1t ZXRob2QpLg0KDQpXaGVuIEkgdXNlIGl0IHdpdGggY2xpZW50LWNlcnQsIGFmdGVyIFNTTCBoYW5k c2hha2UsIEkga2VlcCBnZXR0aW5nIEhUVFAgIA0KNDAxIFVuYXV0aG9yaXNlZCBhbmQgaW4gR2Vy b25pbW8ncyBsb2cgSSBzZWU6DQoNCjEwOjU3OjQwLDkyNiBXQVJOIFtUb21jYXRHZXJvbmltb1Jl YWxtXSBMb2dpbiBleGNlcHRpb24gYXV0aGVudGljYXRpbmcgIA0KdXNlcm5hbWUNCiJDTj1MdWth c3ogQnVkbmlrLE9VPVVua25vd24sTz1Vbmtub3duLEw9VW5rbm93bixTVD1Vbmtub3duLEM9UEwi DQpqYXZheC5zZWN1cml0eS5hdXRoLmxvZ2luLkxvZ2luRXhjZXB0aW9uDQoNCnRoZSByb290IGNh dXNlIGlzOg0KDQpDYXVzZWQgYnk6IGphdmF4LnNlY3VyaXR5LmF1dGguY2FsbGJhY2suVW5zdXBw b3J0ZWRDYWxsYmFja0V4Y2VwdGlvbjogV3JvbmcgIA0KY2FsbA0KYmFjayB0eXBlOiBjbGFzcyBq YXZheC5zZWN1cml0eS5hdXRoLmNhbGxiYWNrLk5hbWVDYWxsYmFjaw0KYXQgb3JnLmFwYWNoZS5n ZXJvbmltby5zZWN1cml0eS5yZWFsbS5wcm92aWRlcnMuQ2VydGlmaWNhdGVDaGFpbkNhbGxiYWNr DQpIYW5kbGVyLmhhbmRsZShDZXJ0aWZpY2F0ZUNoYWluQ2FsbGJhY2tIYW5kbGVyLmphdmE6Njcp DQoNCg0KRG9lcyBpdCBtZWFuIGluIEdlcm9uaW1vIHlvdSBjYW5ub3QgaGF2ZSBhdXRoLWNvbnN0 cmFpbnQgd2hlbiB1c2luZyBtdXR1YWwgIA0KYXV0aGVudGljYXRpb24/DQoNCnRoYW5rcyBmb3Ig YW55IGhlbHAsDQqjdWthc3oNCg== --001485e9abf33fec97047afddff6 Content-Type: text/html; charset=ISO-8859-2 Content-Transfer-Encoding: quoted-printable Hi there,

I'm using G 2.1.3.

I have a problem. I = can configure mutual authentication. My and server's certificates are v= alidated - no problem at all.

The problem starts when I want to = use auth-constraint:

<security-constraint>
<web-r= esource-collection>
<web-resource-name>Protected</web-re= source-name>
<url-pattern>/HiHeyHelloWebServiceService</= url-pattern>
<http-method>POST</http-method>
&l= t;/web-resource-collection>
<auth-constraint>
<rol= e-name>admin</role-name>
</auth-constraint>
<= user-data-constraint>
<transport-guarantee>CONFIDENTIAL<= /transport-guarantee>
</user-data-constraint>
</secu= rity-constraint>
<login-config>
<auth-method>CLIE= NT-CERT</auth-method>
</login-config>
<security-ro= le>
<role-name>admin</role-name>
</security-ro= le>

(Plus valid geronimo-web.xml descriptor, I used geronimo-= admin server wide realm and I know it works, I tested it using BASIC auth-m= ethod).

When I use it with client-cert, after SSL handshake, I k= eep getting HTTP 401 Unauthorised and in Geronimo's log I see:
10:57:40,926 WARN [TomcatGeronimoRealm] Login exception authenticating = username
"CN=3DLukasz Budnik,OU=3DUnknown,O=3DUnknown,L=3DUnknow= n,ST=3DUnknown,C=3DPL"
javax.security.auth.login.LoginException
the root cause is:

Caused by: javax.security.auth.call= back.UnsupportedCallbackException: Wrong call
back type: class javax.s= ecurity.auth.callback.NameCallback
at org.apache.geronimo.secu= rity.realm.providers.CertificateChainCallback
Handler.handle(Certifica= teChainCallbackHandler.java:67)


Does it mean in Geronimo y= ou cannot have auth-constraint when using mutual authentication?

thanks for any help,
=A3ukasz --001485e9abf33fec97047afddff6--