You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@geronimo.apache.org by lu...@gmail.com on 2009/12/18 11:04:57 UTC

CLIENT-CERT working but how to make it work with auth-constraint?

Hi there,

I'm using G 2.1.3.

I have a problem. I can configure mutual authentication. My and server's  
certificates are validated - no problem at all.

The problem starts when I want to use auth-constraint:

<security-constraint>
<web-resource-collection>
<web-resource-name>Protected</web-resource-name>
<url-pattern>/HiHeyHelloWebServiceService</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>

(Plus valid geronimo-web.xml descriptor, I used geronimo-admin server wide  
realm and I know it works, I tested it using BASIC auth-method).

When I use it with client-cert, after SSL handshake, I keep getting HTTP  
401 Unauthorised and in Geronimo's log I see:

10:57:40,926 WARN [TomcatGeronimoRealm] Login exception authenticating  
username
"CN=Lukasz Budnik,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=PL"
javax.security.auth.login.LoginException

the root cause is:

Caused by: javax.security.auth.callback.UnsupportedCallbackException: Wrong  
call
back type: class javax.security.auth.callback.NameCallback
at org.apache.geronimo.security.realm.providers.CertificateChainCallback
Handler.handle(CertificateChainCallbackHandler.java:67)


Does it mean in Geronimo you cannot have auth-constraint when using mutual  
authentication?

thanks for any help,
Łukasz

Re: CLIENT-CERT working but how to make it work with auth-constraint?

Posted by Łukasz Budnik <lu...@gmail.com>.

Hi David,

I'm using geronimo's default server wide realm.

I added the following user: "CN=Lukasz
Budnik,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=PL".

I assigned the above user to admin group.

And here is my geronimo-web.xml:

	<security-realm-name>geronimo-admin</security-realm-name>

	<security>
		<default-principal>
			<principal name="anonymous"
				class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
/>
		</default-principal>
		<role-mappings>
			<role role-name="admin">
				<principal name="admin"
					class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
/>
			</role>
		</role-mappings>
	</security>

thanks,
Łukasz

2009/12/18 David Jencks <da...@yahoo.com>:
> Could you show your security realm configuration and your principal-role
> mapping?
>
> thanks
> david jencks
>
> On Dec 18, 2009, at 2:04 AM, lukasz.budnik@gmail.com wrote:
>
>> Hi there,
>>
>> I'm using G 2.1.3.
>>
>> I have a problem. I can configure mutual authentication. My and server's
>> certificates are validated - no problem at all.
>>
>> The problem starts when I want to use auth-constraint:
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Protected</web-resource-name>
>> <url-pattern>/HiHeyHelloWebServiceService</url-pattern>
>> <http-method>POST</http-method>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>admin</role-name>
>> </auth-constraint>
>> <user-data-constraint>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint>
>> </security-constraint>
>> <login-config>
>> <auth-method>CLIENT-CERT</auth-method>
>> </login-config>
>> <security-role>
>> <role-name>admin</role-name>
>> </security-role>
>>
>> (Plus valid geronimo-web.xml descriptor, I used geronimo-admin server wide
>> realm and I know it works, I tested it using BASIC auth-method).
>>
>> When I use it with client-cert, after SSL handshake, I keep getting HTTP
>> 401 Unauthorised and in Geronimo's log I see:
>>
>> 10:57:40,926 WARN [TomcatGeronimoRealm] Login exception authenticating
>> username
>> "CN=Lukasz Budnik,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=PL"
>> javax.security.auth.login.LoginException
>>
>> the root cause is:
>>
>> Caused by: javax.security.auth.callback.UnsupportedCallbackException:
>> Wrong call
>> back type: class javax.security.auth.callback.NameCallback
>> at org.apache.geronimo.security.realm.providers.CertificateChainCallback
>> Handler.handle(CertificateChainCallbackHandler.java:67)
>>
>>
>> Does it mean in Geronimo you cannot have auth-constraint when using mutual
>> authentication?
>>
>> thanks for any help,
>> Łukasz
>
>

Re: CLIENT-CERT working but how to make it work with auth-constraint?

Posted by David Jencks <da...@yahoo.com>.

Could you show your security realm configuration and your principal- 
role mapping?

thanks
david jencks

On Dec 18, 2009, at 2:04 AM, lukasz.budnik@gmail.com wrote:

> Hi there,
>
> I'm using G 2.1.3.
>
> I have a problem. I can configure mutual authentication. My and  
> server's certificates are validated - no problem at all.
>
> The problem starts when I want to use auth-constraint:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Protected</web-resource-name>
> <url-pattern>/HiHeyHelloWebServiceService</url-pattern>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admin</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> </login-config>
> <security-role>
> <role-name>admin</role-name>
> </security-role>
>
> (Plus valid geronimo-web.xml descriptor, I used geronimo-admin  
> server wide realm and I know it works, I tested it using BASIC auth- 
> method).
>
> When I use it with client-cert, after SSL handshake, I keep getting  
> HTTP 401 Unauthorised and in Geronimo's log I see:
>
> 10:57:40,926 WARN [TomcatGeronimoRealm] Login exception  
> authenticating username
> "CN=Lukasz Budnik,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=PL"
> javax.security.auth.login.LoginException
>
> the root cause is:
>
> Caused by:  
> javax.security.auth.callback.UnsupportedCallbackException: Wrong call
> back type: class javax.security.auth.callback.NameCallback
> at  
> org.apache.geronimo.security.realm.providers.CertificateChainCallback
> Handler.handle(CertificateChainCallbackHandler.java:67)
>
>
> Does it mean in Geronimo you cannot have auth-constraint when using  
> mutual authentication?
>
> thanks for any help,
> Łukasz