CertificatePropertiesFileLoginModule only works with tomcat, not jetty
----------------------------------------------------------------------
Key: GERONIMO-5619
URL: https://issues.apache.org/jira/browse/GERONIMO-5619
Project: Geronimo
Issue Type: Bug
Security Level: public (Regular issues)
Components: security
Affects Versions: 3.0
Reporter: David Jencks
Assignee: David Jencks
Fix For: 3.0
CertificatePropertiesFileLoginModule uses CertificateCallback. This is
supported by tomcat but not jetty, which is more adapted to the jaspic password
validation callback and which converts the x500 principal to a "name" and
expects a NameCallback.
We can easily modify the LoginModule to handle both. I can't decide if this is
a security risk since this login module does not check passwords at all and
just verifies that the principal name is known. It might be possible to
misconfigure security so as to use basic or form auth with this login module
and ignore the supplied password.
I'm going to go ahead and apply the change. We can always roll it back.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
