I am currently trying to do a similar thing. I try to authenticate
against a CXF Secure Token Service using a client cert. Currently CXF
STS has some modules for authorization.
To get this out of STS I try to switch the authorization to JAAS. The
problem is that in JAAS you can not simply get the roles of a user. You
only get the roles after you do a login.
So what I am trying to do is use or create a CertificateLoginModule for
JAAS that can work with either SSL client certs or ws-security cert +
signature.
Perhaps this can even be done in a simpler way. I wonder if I could
simply create a LDAP Login Module that does no authentication and
instead simply uses a fixed user to fetch the role infos from LDAP.
In any case I will report my progress and it would be great if you could
also write if you find something.
Christian
Am 20.02.2013 19:17, schrieb Lars-Erik Helander:
Thanks Achim,
do you have any suggestions on where I can find documentation/examples
that could be of help to me, e.g. how to configure my web app to
"force" login via client certs?
Thanks
Lars
Skickat från min iPhone
20 feb 2013 kl. 17:41 skrev Achim Nierbeck <[email protected]
<mailto:[email protected]>>:
Hi Lars,
I think it should be possible. At least right now I don't see
anything objecting to this. As Pax Web already does work with certs,
you have the credentials for it. Now you just need to make sure
you're configuration for the authorization is delegated to the
underlying JAAS. This should be possible.
It probably needs a bit of tweaking and researching since it's a
not-out-of-the-box situation.
Let us know if it worked out :)
regards, Achim
2013/2/20 Lars-Erik Helander <[email protected] <mailto:[email protected]>>
Lukasz & Achim,
Thanks for the feedback.
No, I do not have a working stand alone jetty solution to "port".
The solution works as follows today:
The client which is another system and not a human user,
autthenticates to the Karaf "server" using a client cert. No
login takes place so its just a matter of transport level
security. The receiving servlet makes an explicit call to an LDAP
server to get the role(s) associated with the client. The LDAP
search is based on the user principal established during the ssl
session setup (principal info comes from the client certificate).
I would like to move away from doing the LDAP call in my
application (servlet) and instead make the LDAP interaction via
JAAS. I guess I woul need to do at least two things:
1) configure JAAS with an LDAP login module
2) force login to take place, probably by somehow configure the
specific URL as being protected an somehow configure/code that
login usin client certificate shall take place
Is this possible?
Thanks
/Lars
Skickat från min iPhone
20 feb 2013 kl. 15:17 skrev Łukasz Dywicki <[email protected]
<mailto:[email protected]>>:
I was thinking about something more complex [1] where principals
may be populated from peer certificate.
[1]
https://github.com/jboss-switchyard/core/blob/master/security/base/src/main/java/org/switchyard/security/login/CertificateLoginModule.java
Cheers,
Lukasz
Wiadomość napisana przez Achim Nierbeck <[email protected]
<mailto:[email protected]>> w dniu 20 lut 2013, o godz. 15:11:
Lukasz,
Pax-Web should work with Certificates already, it just needs a
proper combination of the authentication which should be done
by Pax-Web and the authorization which should be done by the
JAAS part of Karaf.
regards, Achim
2013/2/20 Łukasz Dywicki <[email protected]
<mailto:[email protected]>>
I think you may get this with chaining JAAS login modules
in login context configuration, however we don't ship
certificate login module yet.
Which certificate login module do you use now?
Lukasz
Wiadomość napisana przez Achim Nierbeck
<[email protected] <mailto:[email protected]>>
w dniu 20 lut 2013, o godz. 11:20:
Hi Lars,
I'm sure it's possible. Do you have a working "simple"
Application that already works on a std. jetty?
If so, try to port those things needed to karaf.
Karaf supports JAAS so if you are able to get your JAAS
configuration working I'm sure it's a easy move over.
To my understanding the user attached to
the certificate needs to be know in the jaas part.
Since the authentication is done via certificate the JAAS
part is only needed for the authorization.
Regards, Achim
2013/2/19 helander <[email protected]
<mailto:[email protected]>>
Hi,
I am connecting to a web application in Karaf using
https and a client
certificate and it works fine.
Now I want to associate the authenticated client with
a set of roles defined
in a JAAS login module, e.g. in user.properties or via
LDAP. Is this
possible? How to set it up? What "user" name could be
used, e.g. what part
of the client certificate would the user identity be
selected from?
Any help is highly appreciated.
Thanks
Lars
--
View this message in context:
http://karaf.922171.n3.nabble.com/Https-2-way-authentication-and-JAAS-tp4027804.html
Sent from the Karaf - User mailing list archive at
Nabble.com <http://nabble.com/>.
--
Apache Karaf <http://karaf.apache.org/> Committer & PMC
OPS4J Pax Web
<http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer
& Project Lead
OPS4J Pax for Vaadin
<http://team.ops4j.org/wiki/display/PAXVAADIN/Home>
Commiter & Project Lead
blog <http://notizblog.nierbeck.de/>
--
Apache Karaf <http://karaf.apache.org/> Committer & PMC
OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/>
Committer & Project Lead
OPS4J Pax for Vaadin
<http://team.ops4j.org/wiki/display/PAXVAADIN/Home> Commiter &
Project Lead
blog <http://notizblog.nierbeck.de/>
--
Apache Karaf <http://karaf.apache.org/> Committer & PMC
OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/>
Committer & Project Lead
OPS4J Pax for Vaadin
<http://team.ops4j.org/wiki/display/PAXVAADIN/Home> Commiter &
Project Lead
blog <http://notizblog.nierbeck.de/>
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
Talend Application Integration Division http://www.talend.com
