SubjectCNMapper is not invoked with CertificatesRoles login-module in EAP6

Solution Verified - Updated -

Issue

  • SubjectCNMapper is not invoked with CertificatesRoles login-module

    • When using the CertRolesLoginModule to perform CLIENT_CERT authentication with EAP 6.0.1.
    • With a configured security-domain that maps SubjectCNMapper to a value of CN in the certificate, (instead of DN to a Principal).

        <security-domain name="mySecurityDomain" cache-type="default">
          <authentication>
            <login-module code="CertificateRoles" flag="required">
              <module-option name="securityDomain" value="mySecurityDomain"/>
              <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>
              <module-option name="rolesProperties" value="${project.build.outputDirectory}/config/roles.properties"/>
            </login-module>
          </authentication>
          <mapping>
            <mapping-module code="org.jboss.security.mapping.providers.principal.SubjectCNMapper" type="principal" />
          </mapping>                   
          <jsse truststore-url="${project.build.outputDirectory}/config/ServerTrustStore.jks"
                            truststore-password="password"
                            truststore-type="jks" client-auth="true"
                            keystore-url="${project.build.outputDirectory}/config/ServerKeyStore.jks"
                            keystore-password="password"
                            keystore-type="jks"
                            />
        </security-domain>
      

Environment

  • JBoss Enterprise Application Platform (EAP)
    • 6.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.