-
Task
-
Resolution: Done
-
Major
-
JBossAS-4.0.4.GA
-
None
-
Documentation (Ref Guide, User Guide, etc.)
This issue is related to JBAS-2481. My initial discussion with Remy on customization of authenticators at the tomcat sar level or webapp level via the injection of ContextConfig into StandardContext, was not agreed. Remy advised me to utilize the route of using the "configClass" attribute on the <host> element, to provide a custom version of the ContextConfig class.
I have tested this and it works perfectly.
-----------------------------------------------------------------------------------------------------------------------
<Host name="localhost"
autoDeploy="false" deployOnStartup="false" deployXML="false"
configClass="org.jboss.web.tomcat.security.config.JBossContextConfig">
-----------------------------------------------------------------------------------------------------------------------
Here is the JBossContextConfig class that I tested:
=======================================================================================
public class JBossContextConfig extends ContextConfig
{
/**
- Create a new JBossContextConfig.
*/
public JBossContextConfig()
{
super();
try
{ Map authMap = this.getAuthenticators(); if(authMap.size() > 0) customAuthenticators = authMap; }catch(Exception e)
{ throw new IllegalStateException("Failed to customize authenticators::" + e.getMessage()); }
}
private Map getAuthenticators() throws Exception
{ Map cmap = new HashMap(); ClassLoader tcl = Thread.currentThread().getContextClassLoader(); Authenticator basic = (Authenticator)tcl.loadClass("org.apache.catalina.authenticator.SSLAuthenticator").newInstance(); Authenticator clientCert = (Authenticator)tcl.loadClass("org.apache.catalina.authenticator.BasicAuthenticator").newInstance(); Authenticator digest = (Authenticator)tcl.loadClass("org.apache.catalina.authenticator.DigestAuthenticator").newInstance(); Authenticator form = (Authenticator)tcl.loadClass("org.apache.catalina.authenticator.FormAuthenticator").newInstance(); Authenticator none = (Authenticator)tcl.loadClass("org.apache.catalina.authenticator.NonLoginAuthenticator").newInstance(); cmap.put("BASIC",basic); cmap.put("CLIENT-CERT",clientCert); cmap.put("DIGEST",digest); cmap.put("FORM", form); cmap.put("NONE", none); return cmap; }}
======================================================================================================
When I enabled jmx-console security, the error message in the browser:
HTTP Status 400 - No client certificate chain in this request
As you can see from the code above, I interchanged the authenticators for BASIC and CLIENT-CERT and default jmx-console security is BASIC. So
the SSLAuthenticator has kicked in.
This JIRA tasks involves writing a MBean service that provides the configurable map of authenticators, which the JBossContextConfig will solicit.