Hi David, I'm using geronimo's default server wide realm.
I added the following user: "CN=Lukasz Budnik,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=PL". I assigned the above user to admin group. And here is my geronimo-web.xml: <security-realm-name>geronimo-admin</security-realm-name> <security> <default-principal> <principal name="anonymous" class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" /> </default-principal> <role-mappings> <role role-name="admin"> <principal name="admin" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" /> </role> </role-mappings> </security> thanks, Łukasz 2009/12/18 David Jencks <david_jen...@yahoo.com>: > Could you show your security realm configuration and your principal-role > mapping? > > thanks > david jencks > > On Dec 18, 2009, at 2:04 AM, lukasz.bud...@gmail.com wrote: > >> Hi there, >> >> I'm using G 2.1.3. >> >> I have a problem. I can configure mutual authentication. My and server's >> certificates are validated - no problem at all. >> >> The problem starts when I want to use auth-constraint: >> >> <security-constraint> >> <web-resource-collection> >> <web-resource-name>Protected</web-resource-name> >> <url-pattern>/HiHeyHelloWebServiceService</url-pattern> >> <http-method>POST</http-method> >> </web-resource-collection> >> <auth-constraint> >> <role-name>admin</role-name> >> </auth-constraint> >> <user-data-constraint> >> <transport-guarantee>CONFIDENTIAL</transport-guarantee> >> </user-data-constraint> >> </security-constraint> >> <login-config> >> <auth-method>CLIENT-CERT</auth-method> >> </login-config> >> <security-role> >> <role-name>admin</role-name> >> </security-role> >> >> (Plus valid geronimo-web.xml descriptor, I used geronimo-admin server wide >> realm and I know it works, I tested it using BASIC auth-method). >> >> When I use it with client-cert, after SSL handshake, I keep getting HTTP >> 401 Unauthorised and in Geronimo's log I see: >> >> 10:57:40,926 WARN [TomcatGeronimoRealm] Login exception authenticating >> username >> "CN=Lukasz Budnik,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=PL" >> javax.security.auth.login.LoginException >> >> the root cause is: >> >> Caused by: javax.security.auth.callback.UnsupportedCallbackException: >> Wrong call >> back type: class javax.security.auth.callback.NameCallback >> at org.apache.geronimo.security.realm.providers.CertificateChainCallback >> Handler.handle(CertificateChainCallbackHandler.java:67) >> >> >> Does it mean in Geronimo you cannot have auth-constraint when using mutual >> authentication? >> >> thanks for any help, >> Łukasz > >