Return-Path: 
 <user-return-14309-apmail-geronimo-user-archive=geronimo.apache.org@geronimo.apache.org>
Delivered-To: apmail-geronimo-user-archive@www.apache.org
Received: (qmail 68307 invoked from network); 19 Dec 2009 16:26:34 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 19 Dec 2009 16:26:34 -0000
Received: (qmail 46349 invoked by uid 500); 19 Dec 2009 16:26:33 -0000
Delivered-To: apmail-geronimo-user-archive@geronimo.apache.org
Received: (qmail 46307 invoked by uid 500); 19 Dec 2009 16:26:32 -0000
Mailing-List: contact user-help@geronimo.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:user-help@geronimo.apache.org>
list-unsubscribe: <mailto:user-unsubscribe@geronimo.apache.org>
List-Post: <mailto:user@geronimo.apache.org>
Reply-To: user@geronimo.apache.org
List-Id: <user.geronimo.apache.org>
Delivered-To: mailing list user@geronimo.apache.org
Delivered-To: moderator for user@geronimo.apache.org
Received: (qmail 55829 invoked by uid 99); 19 Dec 2009 07:13:37 -0000
X-ASF-Spam-Status: No, hits=-2.0 required=5.0
	tests=AWL,BAYES_00
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of lukasz.budnik@gmail.com
 designates 209.85.219.216 as permitted sender)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:in-reply-to:references
         :from:date:message-id:subject:to:content-type
         :content-transfer-encoding;
        bh=kk1ISVMikND0FB7sc+8VOtPyH0V+UPXA4h18KTMscko=;
        b=VNKxlx4rnRFY+a5i5fZ3apphwYDHkgr/BBvZ9vBK34B6Zsh5B33Diu8Y4+Lp+71c2m
         NaHKk730dVt1ayV/bUHoCj0ay15tlUABblaAhNsbLXBxsNj1RFNVSVrzVtjOVtHm3kJ2
         b+SYIbwELKuCJawYmTNdSaQuHQgJYZll+UEfY=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :content-type:content-transfer-encoding;
        b=p6MQ6IAeQMZdgE1YWX8LPPdOahDnLnSLrxh81zWUYAIwgVXlS3XeeK448J79hlo+fb
         HxwVvX03HVAZjlrPdN9veUsC+hTTID092HHiJW/zjAUYQYqUwDBTnmp81lF7OBwkSvsw
         yNgGYjKHqdtEmghn5n9QTBQlIWGZNhpnESRHM=
MIME-Version: 1.0
In-Reply-To: <02EAA24D-796B-4D99-9AC1-4EB41153E4CD@yahoo.com>
References: <001485e9abf33fecc4047afddff9@google.com>
 <02EAA24D-796B-4D99-9AC1-4EB41153E4CD@yahoo.com>
From: =?UTF-8?Q?=C5=81ukasz_Budnik?= <lukasz.budnik@gmail.com>
Date: Sat, 19 Dec 2009 08:12:49 +0100
Message-ID: <9e999ed80912182312o204dd365ue38bc4ff6681e90@mail.gmail.com>
Subject: Re: CLIENT-CERT working but how to make it work with auth-constraint?
To: user@geronimo.apache.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi David,

I'm using geronimo's default server wide realm.

I added the following user: "CN=3DLukasz
Budnik,OU=3DUnknown,O=3DUnknown,L=3DUnknown,ST=3DUnknown,C=3DPL".

I assigned the above user to admin group.

And here is my geronimo-web.xml:

	<security-realm-name>geronimo-admin</security-realm-name>

	<security>
		<default-principal>
			<principal name=3D"anonymous"
				class=3D"org.apache.geronimo.security.realm.providers.GeronimoUserPrinc=
ipal"
/>
		</default-principal>
		<role-mappings>
			<role role-name=3D"admin">
				<principal name=3D"admin"
					class=3D"org.apache.geronimo.security.realm.providers.GeronimoGroupPri=
ncipal"
/>
			</role>
		</role-mappings>
	</security>

thanks,
=C5=81ukasz

2009/12/18 David Jencks <david_jencks@yahoo.com>:
> Could you show your security realm configuration and your principal-role
> mapping?
>
> thanks
> david jencks
>
> On Dec 18, 2009, at 2:04 AM, lukasz.budnik@gmail.com wrote:
>
>> Hi there,
>>
>> I'm using G 2.1.3.
>>
>> I have a problem. I can configure mutual authentication. My and server's
>> certificates are validated - no problem at all.
>>
>> The problem starts when I want to use auth-constraint:
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Protected</web-resource-name>
>> <url-pattern>/HiHeyHelloWebServiceService</url-pattern>
>> <http-method>POST</http-method>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>admin</role-name>
>> </auth-constraint>
>> <user-data-constraint>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint>
>> </security-constraint>
>> <login-config>
>> <auth-method>CLIENT-CERT</auth-method>
>> </login-config>
>> <security-role>
>> <role-name>admin</role-name>
>> </security-role>
>>
>> (Plus valid geronimo-web.xml descriptor, I used geronimo-admin server wi=
de
>> realm and I know it works, I tested it using BASIC auth-method).
>>
>> When I use it with client-cert, after SSL handshake, I keep getting HTTP
>> 401 Unauthorised and in Geronimo's log I see:
>>
>> 10:57:40,926 WARN [TomcatGeronimoRealm] Login exception authenticating
>> username
>> "CN=3DLukasz Budnik,OU=3DUnknown,O=3DUnknown,L=3DUnknown,ST=3DUnknown,C=
=3DPL"
>> javax.security.auth.login.LoginException
>>
>> the root cause is:
>>
>> Caused by: javax.security.auth.callback.UnsupportedCallbackException:
>> Wrong call
>> back type: class javax.security.auth.callback.NameCallback
>> at org.apache.geronimo.security.realm.providers.CertificateChainCallback
>> Handler.handle(CertificateChainCallbackHandler.java:67)
>>
>>
>> Does it mean in Geronimo you cannot have auth-constraint when using mutu=
al
>> authentication?
>>
>> thanks for any help,
>> =C5=81ukasz
>
>