Skip to main content

certRealm in login.conf login module class is never loaded

5 replies [Last post]
geturnerlmco
Offline
Joined: 2008-12-04
Points: 0

I have followed what little instructions exist for configuring client cert authentication, but the class specified in the login.conf is never loaded. I have tried with 2.1 and 3.1 with no difference. I have defined a static initializer in the class, so that is how I know it is not being loaded. Every time I hit the protected URL, the server responds with a 400. If I remove the protection in the web.xml, the file retrieves just fine, but when I set CLIENT_CERT again, wham, 400, with NO exceptions of any kind. I have set FINEST on the logging, and nothing shows up about the login module class, but it does show that the CertificateRealm loads succesfully, but there is not any indication that it is loading the login module specified by its jass-context property thru the login.conf.
If anyone has made this work, please tell me HOW.

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Kumar Jayanti Guest
Offline
Joined: 2011-04-02
Points: 0

Are you following this : http://weblogs.java.net/blog/kumarjayanti/archive/2010/03/25/custom-auth...

On 01-Jun-2011, at 6:23 AM, forums@java.net wrote:

> I have followed what little instructions exist for configuring client cert
> authentication, but the class specified in the login.conf is never loaded.
> I have tried with 2.1 and 3.1 with no difference. I have defined a static
> initializer in the class, so that is how I know it is not being loaded.
> Every time I hit the protected URL, the server responds with a 400. If I
> remove the protection in the web.xml, the file retrieves just fine, but when
> I set CLIENT_CERT again, wham, 400, with NO exceptions of any kind. I have
> set FINEST on the logging, and nothing shows up about the login module class,
> but it does show that the CertificateRealm loads succesfully, but there is
> not any indication that it is loading the login module specified by its
> jass-context property thru the login.conf.
>
> If anyone has made this work, please tell me HOW.
>
>
> --
>
> [Message sent by forum member 'geturnerlmco']
>
> View Post: http://forums.java.net/node/808034
>
>

mgainty
Offline
Joined: 2004-05-21
Points: 0

//assuming domains/domain1/config/login.conf looks something like
Login {
com.sun.security.auth.module.UnixLoginModule required;
com.sun.security.auth.module.Krb5LoginModule optional
useTicketCache="true"
ticketCache="${user.home}${/}tickets";
};

if UnixLoginModule success or fail Krb5LoginModules class is called so
comment out the second entry and determine the cause of failure for first entry in login.conf
things to look at:
Parameters are incorrect?
UnixLoginModule is not available to CL?

Martin Gainty
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.

> Subject: Re: certRealm in login.conf login module class is never loaded
> From: v.b.kumar.jayanti...
> Date: Wed, 1 Jun 2011 15:36:49 +0530
> To: users@glassfish.java.net
>
> Are you following this : http://weblogs.java.net/blog/kumarjayanti/archive/2010/03/25/custom-auth...
>
> On 01-Jun-2011, at 6:23 AM, forums@java.net wrote:
>
> > I have followed what little instructions exist for configuring client cert
> > authentication, but the class specified in the login.conf is never loaded.
> > I have tried with 2.1 and 3.1 with no difference. I have defined a static
> > initializer in the class, so that is how I know it is not being loaded.
> > Every time I hit the protected URL, the server responds with a 400. If I
> > remove the protection in the web.xml, the file retrieves just fine, but when
> > I set CLIENT_CERT again, wham, 400, with NO exceptions of any kind. I have
> > set FINEST on the logging, and nothing shows up about the login module class,
> > but it does show that the CertificateRealm loads succesfully, but there is
> > not any indication that it is loading the login module specified by its
> > jass-context property thru the login.conf.
> >
> > If anyone has made this work, please tell me HOW.
> >
> >
> > --
> >
> > [Message sent by forum member 'geturnerlmco']
> >
> > View Post: http://forums.java.net/node/808034
> >
> >
>

geturnerlmco
Offline
Joined: 2008-12-04
Points: 0

Yes, I am following the instructions from Kumar. In his weblogs page, the "detailed post" references the link that I referenced.

nitkal
Offline
Joined: 2008-10-22
Points: 0

Are you trying to use a custom certificate realm ? Could you please provide details of the login.conf entry. Also you have mentioned that the login module class key as jass-context. It should be jaas-context. ?

geturnerlmco
Offline
Joined: 2008-12-04
Points: 0

The term per the Oracle documentation is: Custom Authentication of client Certificate in SSL Mutual Authentication, referenced at http://download.oracle.com/docs/cd/E18930_01/html/821-2435/ggktf.html. I am also referencing earlier howto instructions at http://www.java.net/external?url=http://blogs.sun.com/nasradu8/entry/ext...
And yes, that was a fat-finger typo, I did use jaas-context. I could send you (or upload) all of my files, but everything I have done is exactly per instructions from these two references. I have tried using a class that implements LoginModule (which is where I declared a static block so I could see if the class is being loaded, which it is not) and I have tried the extend of AppservCertificateLoginModule given in the Oracle docs, and neither class is being loaded.
So to re-interate, the default CertificateRealm of domain1 has been altered by adding the "jaas-context" property with a value of "certRealm" and an entry of
certRealm {
com.lmco.certificate.login.CertificateLoginModule required;
};
has been added to the login.conf file. When I try to debug, breakpoints on CertificateLoginModule are never activated, and static class blocks are never ran, which is why I believe there is something else that has not been "turned on" to enable this to work as it should. Obviously something is happening, as the CLIENT-CERT entry in my web.xml is causing the server to return an HTTP 400, but as stated, there are no exceptions, and with logging.properties containing javax.enterprise.system.core.security.level=FINEST I cannot see anything happening other than the CertificateRealm successfully created message from the RealmConfig.