Hi Christian, thanks for sharing. I will report on how my work progresses.
/Lars Skickat från min iPhone 21 feb 2013 kl. 01:13 skrev Christian Schneider <[email protected]>: > I am currently trying to do a similar thing. I try to authenticate against a > CXF Secure Token Service using a client cert. Currently CXF STS has some > modules for authorization. > To get this out of STS I try to switch the authorization to JAAS. The problem > is that in JAAS you can not simply get the roles of a user. You only get the > roles after you do a login. > > So what I am trying to do is use or create a CertificateLoginModule for JAAS > that can work with either SSL client certs or ws-security cert + signature. > > Perhaps this can even be done in a simpler way. I wonder if I could simply > create a LDAP Login Module that does no authentication and instead simply > uses a fixed user to fetch the role infos from LDAP. > In any case I will report my progress and it would be great if you could also > write if you find something. > > Christian > > > Am 20.02.2013 19:17, schrieb Lars-Erik Helander: >> Thanks Achim, >> >> do you have any suggestions on where I can find documentation/examples that >> could be of help to me, e.g. how to configure my web app to "force" login >> via client certs? >> >> Thanks >> >> Lars >> >> Skickat från min iPhone >> >> 20 feb 2013 kl. 17:41 skrev Achim Nierbeck <[email protected]>: >> >>> Hi Lars, >>> >>> I think it should be possible. At least right now I don't see anything >>> objecting to this. As Pax Web already does work with certs, you have the >>> credentials for it. Now you just need to make sure you're configuration for >>> the authorization is delegated to the underlying JAAS. This should be >>> possible. >>> It probably needs a bit of tweaking and researching since it's a >>> not-out-of-the-box situation. >>> >>> Let us know if it worked out :) >>> >>> regards, Achim >>> >>> >>> 2013/2/20 Lars-Erik Helander <[email protected]> >>>> Lukasz & Achim, >>>> >>>> Thanks for the feedback. >>>> >>>> No, I do not have a working stand alone jetty solution to "port". >>>> >>>> The solution works as follows today: >>>> >>>> The client which is another system and not a human user, autthenticates to >>>> the Karaf "server" using a client cert. No login takes place so its just a >>>> matter of transport level security. The receiving servlet makes an >>>> explicit call to an LDAP server to get the role(s) associated with the >>>> client. The LDAP search is based on the user principal established during >>>> the ssl session setup (principal info comes from the client certificate). >>>> I would like to move away from doing the LDAP call in >>>> my application (servlet) and instead make the LDAP interaction via JAAS. I >>>> guess I woul need to do at least two things: >>>> 1) configure JAAS with an LDAP login module >>>> 2) force login to take place, probably by somehow configure the specific >>>> URL as being protected an somehow configure/code that login usin client >>>> certificate shall take place >>>> >>>> Is this possible? >>>> >>>> Thanks >>>> >>>> /Lars >>>> >>>> Skickat från min iPhone >>>> >>>> 20 feb 2013 kl. 15:17 skrev Łukasz Dywicki <[email protected]>: >>>> >>>>> I was thinking about something more complex [1] where principals may be >>>>> populated from peer certificate. >>>>> >>>>> [1] >>>>> https://github.com/jboss-switchyard/core/blob/master/security/base/src/main/java/org/switchyard/security/login/CertificateLoginModule.java >>>>> >>>>> Cheers, >>>>> Lukasz >>>>> >>>>> Wiadomość napisana przez Achim Nierbeck <[email protected]> >>>>> w dniu 20 lut 2013, o godz. 15:11: >>>>> >>>>>> Lukasz, >>>>>> >>>>>> Pax-Web should work with Certificates already, it just needs a proper >>>>>> combination of the authentication which should be done by Pax-Web and >>>>>> the authorization which should be done by the JAAS part of Karaf. >>>>>> >>>>>> regards, Achim >>>>>> >>>>>> >>>>>> 2013/2/20 Łukasz Dywicki <[email protected]> >>>>>>> I think you may get this with >>>>>>> chaining JAAS login modules in login context configuration, however we >>>>>>> don't ship certificate login module yet. >>>>>>> >>>>>>> Which certificate login module do you use now? >>>>>>> >>>>>>> Lukasz >>>>>>> >>>>>>> Wiadomość napisana przez >>>>>>> Achim Nierbeck <[email protected]> w dniu 20 lut 2013, o godz. >>>>>>> 11:20: >>>>>>> >>>>>>>> Hi Lars, >>>>>>>> >>>>>>>> I'm sure it's possible. Do you have a working "simple" Application >>>>>>>> that already works on a std. jetty? >>>>>>>> If so, try to port those things needed to karaf. >>>>>>>> Karaf supports JAAS so if you are able to get your JAAS configuration >>>>>>>> working I'm sure >>>>>>>> it's a easy move over. >>>>>>>> >>>>>>>> To my understanding the user attached to the certificate needs to be >>>>>>>> know in the jaas part. >>>>>>>> Since the authentication is done via certificate the JAAS part is only >>>>>>>> needed for the authorization. >>>>>>>> >>>>>>>> Regards, Achim >>>>>>>> >>>>>>>> >>>>>>>> 2013/2/19 helander <[email protected]> >>>>>>>>> Hi, >>>>>>>>> I am connecting to a web application in Karaf using https and a client >>>>>>>>> certificate and it works fine. >>>>>>>>> Now I want to associate the authenticated client with a set of roles >>>>>>>>> defined >>>>>>>>> in a JAAS login module, e.g. in user.properties or >>>>>>>>> via LDAP. Is this >>>>>>>>> possible? How to set it up? What "user" name could be used, e.g. what >>>>>>>>> part >>>>>>>>> of the client certificate would the user identity be selected from? >>>>>>>>> >>>>>>>>> Any help is highly appreciated. >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> >>>>>>>>> Lars >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> View this message in context:
