Re: CLIENT-CERT working but how to make it work with auth-constraint?

Sat, 19 Dec 2009 08:26:34 -0800 

Hi David,

I'm using geronimo's default server wide realm.

I added the following user: "CN=Lukasz
Budnik,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=PL".

I assigned the above user to admin group.

And here is my geronimo-web.xml:

        <security-realm-name>geronimo-admin</security-realm-name>

        <security>
                <default-principal>
                        <principal name="anonymous"
                                
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
/>
                </default-principal>
                <role-mappings>
                        <role role-name="admin">
                                <principal name="admin"
                                        
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
/>
                        </role>
                </role-mappings>
        </security>

thanks,
Łukasz

2009/12/18 David Jencks <david_jen...@yahoo.com>:
> Could you show your security realm configuration and your principal-role
> mapping?
>
> thanks
> david jencks
>
> On Dec 18, 2009, at 2:04 AM, lukasz.bud...@gmail.com wrote:
>
>> Hi there,
>>
>> I'm using G 2.1.3.
>>
>> I have a problem. I can configure mutual authentication. My and server's
>> certificates are validated - no problem at all.
>>
>> The problem starts when I want to use auth-constraint:
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Protected</web-resource-name>
>> <url-pattern>/HiHeyHelloWebServiceService</url-pattern>
>> <http-method>POST</http-method>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>admin</role-name>
>> </auth-constraint>
>> <user-data-constraint>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint>
>> </security-constraint>
>> <login-config>
>> <auth-method>CLIENT-CERT</auth-method>
>> </login-config>
>> <security-role>
>> <role-name>admin</role-name>
>> </security-role>
>>
>> (Plus valid geronimo-web.xml descriptor, I used geronimo-admin server wide
>> realm and I know it works, I tested it using BASIC auth-method).
>>
>> When I use it with client-cert, after SSL handshake, I keep getting HTTP
>> 401 Unauthorised and in Geronimo's log I see:
>>
>> 10:57:40,926 WARN [TomcatGeronimoRealm] Login exception authenticating
>> username
>> "CN=Lukasz Budnik,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=PL"
>> javax.security.auth.login.LoginException
>>
>> the root cause is:
>>
>> Caused by: javax.security.auth.callback.UnsupportedCallbackException:
>> Wrong call
>> back type: class javax.security.auth.callback.NameCallback
>> at org.apache.geronimo.security.realm.providers.CertificateChainCallback
>> Handler.handle(CertificateChainCallbackHandler.java:67)
>>
>>
>> Does it mean in Geronimo you cannot have auth-constraint when using mutual
>> authentication?
>>
>> thanks for any help,
>> Łukasz
>
>

Reply via email to