[
https://issues.apache.org/jira/browse/GERONIMO-5619?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Jencks resolved GERONIMO-5619.
------------------------------------
Resolution: Fixed
no one has complained about the fix.
> CertificatePropertiesFileLoginModule only works with tomcat, not jetty
> ----------------------------------------------------------------------
>
> Key: GERONIMO-5619
> URL: https://issues.apache.org/jira/browse/GERONIMO-5619
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 3.0
> Reporter: David Jencks
> Assignee: David Jencks
> Fix For: 3.0
>
>
> CertificatePropertiesFileLoginModule uses CertificateCallback. This is
> supported by tomcat but not jetty, which is more adapted to the jaspic
> password validation callback and which converts the x500 principal to a
> "name" and expects a NameCallback.
> We can easily modify the LoginModule to handle both. I can't decide if this
> is a security risk since this login module does not check passwords at all
> and just verifies that the principal name is known. It might be possible to
> misconfigure security so as to use basic or form auth with this login module
> and ignore the supplied password.
> I'm going to go ahead and apply the change. We can always roll it back.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
