Could you show your security realm configuration and your principal-
role mapping?
thanks
david jencks
On Dec 18, 2009, at 2:04 AM, lukasz.bud...@gmail.com wrote:
Hi there,
I'm using G 2.1.3.
I have a problem. I can configure mutual authentication. My and
server's certificates are validated - no problem at all.
The problem starts when I want to use auth-constraint:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected</web-resource-name>
<url-pattern>/HiHeyHelloWebServiceService</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
(Plus valid geronimo-web.xml descriptor, I used geronimo-admin
server wide realm and I know it works, I tested it using BASIC auth-
method).
When I use it with client-cert, after SSL handshake, I keep getting
HTTP 401 Unauthorised and in Geronimo's log I see:
10:57:40,926 WARN [TomcatGeronimoRealm] Login exception
authenticating username
"CN=Lukasz Budnik,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=PL"
javax.security.auth.login.LoginException
the root cause is:
Caused by:
javax.security.auth.callback.UnsupportedCallbackException: Wrong call
back type: class javax.security.auth.callback.NameCallback
at
org.apache.geronimo.security.realm.providers.CertificateChainCallback
Handler.handle(CertificateChainCallbackHandler.java:67)
Does it mean in Geronimo you cannot have auth-constraint when using
mutual authentication?
thanks for any help,
Łukasz