SubjectCNMapping for certificate login
yves.p Nov 11, 2011 9:44 AMI'm trying to set up certificate based authentication for a webapp. I want to use the certificate cn to fetch additional roles from ldap but I can't get the mapping from dn to cn to work. Here is my setup so fare:
<subsystem xmlns="urn:jboss:domain:security:1.0"> <security-domains> <security-domain name="trustStore"> <jsse truststore-url="configuration/mobiJspDynWesTrust_dev.jceks" truststore-password="123456" truststore-type="JCEKS" protocols="TLS" /> </security-domain> <security-domain name="other" cache-type="default"> <authentication> <login-module code="UsersRoles" flag="required" /> </authentication> </security-domain> <security-domain name="ldap" cache-type="default"> <authentication> <login-module code="Certificate" flag="optional"> <module-option name="password-stacking" value="useFirstPass" /> <module-option name="securityDomain" value="java:/jaas/trustStore" /> <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier" /> <!--<module-option name="principalClass" value="org.jboss.security.auth.certs.SubjectCNMapping" /> --> </login-module> </authentication> <mapping> <mapping-module code="org.jboss.security.mapping.providers.principal.SubjectCNMapper" type="principal" /> <mapping-module code="org.jboss.security.mapping.providers.role.LdapRolesMappingProvider"> <module-option name="java.naming.provider.url" value="ldap://addc01.mycorp.test:389" type="role" /> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" /> <module-option name="java.naming.security.authentication" value="simple" /> <module-option name="bindDN" value="CN=ADUser,OU=Service-Accounts,OU=My-Acc,DC=mycorp,DC=test" /> <module-option name="bindCredential" value="123456" /> <module-option name="rolesCtxDN" value="OU=Groups,OU=My-Acc,DC=mycorp,DC=test" /> <module-option name="roleAttributeID" value="CN" /> <module-option name="roleNameAttributeID" value="CN" /> <module-option name="roleAttributeIsDn" value="false" /> <module-option name="parseRoleNameFromDN" value="false" /> <module-option name="roleRecursion" value="-1" /> </mapping-module> <!-- <mapping-module code="org.jboss.security.mapping.providers.OptionsRoleMappingProvider"> <module-option name="replaceRoles" value="false"/> <module-option name="rolesMap" value="asdf=abc"/> </mapping-module> --> </mapping> </security-domain> </security-domains> </subsystem>
With this setup I get this error:
10:44:20,755 ERROR [org.jboss.as.web.security.JBossWebRealm] (http-sd0602a.umobi.mobicorp.test-10.32.35.192-8443-1) Error during authenticate(X509Certificate[])
I also enabled TRACE on org.jboss.security and I don't see that the mappers are being called. Who am I supposed to configure this? In JBoss 5 it worked over JBossWeb via Realm:
<Realm className="org.jboss.web.tomcat.security.JBossWebRealm" certificatePrincipal="org.jboss.security.auth.certs.SubjectCNMapping" allRolesMode="authOnly" />
I'm using JBoss 7.0.2.
Thanks for your help!