Hi Lars, I think it should be possible. At least right now I don't see anything objecting to this. As Pax Web already does work with certs, you have the credentials for it. Now you just need to make sure you're configuration for the authorization is delegated to the underlying JAAS. This should be possible. It probably needs a bit of tweaking and researching since it's a not-out-of-the-box situation.
Let us know if it worked out :) regards, Achim 2013/2/20 Lars-Erik Helander <[email protected]> > Lukasz & Achim, > > Thanks for the feedback. > > No, I do not have a working stand alone jetty solution to "port". > > The solution works as follows today: > > The client which is another system and not a human user, autthenticates to > the Karaf "server" using a client cert. No login takes place so its just a > matter of transport level security. The receiving servlet makes an explicit > call to an LDAP server to get the role(s) associated with the client. The > LDAP search is based on the user principal established during the ssl > session setup (principal info comes from the client certificate). I would > like to move away from doing the LDAP call in my application (servlet) and > instead make the LDAP interaction via JAAS. I guess I woul need to do at > least two things: > 1) configure JAAS with an LDAP login module > 2) force login to take place, probably by somehow configure the specific > URL as being protected an somehow configure/code that login usin client > certificate shall take place > > Is this possible? > > Thanks > > /Lars > > Skickat från min iPhone > > 20 feb 2013 kl. 15:17 skrev Łukasz Dywicki <[email protected]>: > > I was thinking about something more complex [1] where principals may be > populated from peer certificate. > > [1] > https://github.com/jboss-switchyard/core/blob/master/security/base/src/main/java/org/switchyard/security/login/CertificateLoginModule.java > > Cheers, > Lukasz > > Wiadomość napisana przez Achim Nierbeck <[email protected]> w dniu > 20 lut 2013, o godz. 15:11: > > Lukasz, > > Pax-Web should work with Certificates already, it just needs a proper > combination of the authentication which should be done by Pax-Web and the > authorization which should be done by the JAAS part of Karaf. > > regards, Achim > > > 2013/2/20 Łukasz Dywicki <[email protected]> > >> I think you may get this with chaining JAAS login modules in login >> context configuration, however we don't ship certificate login module yet. >> >> Which certificate login module do you use now? >> >> Lukasz >> >> Wiadomość napisana przez Achim Nierbeck <[email protected]> w dniu >> 20 lut 2013, o godz. 11:20: >> >> Hi Lars, >> >> I'm sure it's possible. Do you have a working "simple" Application that >> already works on a std. jetty? >> If so, try to port those things needed to karaf. >> Karaf supports JAAS so if you are able to get your JAAS configuration >> working I'm sure it's a easy move over. >> >> To my understanding the user attached to the certificate needs to be know >> in the jaas part. >> Since the authentication is done via certificate the JAAS part is only >> needed for the authorization. >> >> Regards, Achim >> >> >> 2013/2/19 helander <[email protected]> >> >>> Hi, >>> I am connecting to a web application in Karaf using https and a client >>> certificate and it works fine. >>> Now I want to associate the authenticated client with a set of roles >>> defined >>> in a JAAS login module, e.g. in user.properties or via LDAP. Is this >>> possible? How to set it up? What "user" name could be used, e.g. what >>> part >>> of the client certificate would the user identity be selected from? >>> >>> Any help is highly appreciated. >>> >>> Thanks >>> >>> Lars >>> >>> >>> >>> -- >>> View this message in context: >>> http://karaf.922171.n3.nabble.com/Https-2-way-authentication-and-JAAS-tp4027804.html >>> Sent from the Karaf - User mailing list archive at >>> Nabble.com<http://nabble.com/> >>> . >>> >> >> >> >> -- >> >> Apache Karaf <http://karaf.apache.org/> Committer & PMC >> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer >> & Project Lead >> OPS4J Pax for Vaadin <http://team.ops4j.org/wiki/display/PAXVAADIN/Home> >> Commiter & Project Lead >> blog <http://notizblog.nierbeck.de/> >> >> >> > > > -- > > Apache Karaf <http://karaf.apache.org/> Committer & PMC > OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & > Project Lead > OPS4J Pax for Vaadin <http://team.ops4j.org/wiki/display/PAXVAADIN/Home> > Commiter & Project Lead > blog <http://notizblog.nierbeck.de/> > > > -- Apache Karaf <http://karaf.apache.org/> Committer & PMC OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & Project Lead OPS4J Pax for Vaadin <http://team.ops4j.org/wiki/display/PAXVAADIN/Home> Commiter & Project Lead blog <http://notizblog.nierbeck.de/>
