KeyStoreLoginModule: This class provides a JAAS login module that prompts for a key store alias and populates the subject with the alias's principal and credentials. Stores an X500Principal for the subject distinguished name of the first certificate in the alias's credentials in the subject's principals, the alias's certificate path in the subject's public credentials, and a X500PrivateCredential whose certificate is the firstcertificate in the alias's certificate path and whose private key is the alias's private key in the subject's private credentials.

For more details , go through the link JAASKeyStoreLoginModule .The clear usage of this keystore login module is documented here

This feature is just an another way of configuring keystore's properties in the wsdl configuration.

To use this feature with metro, follow the below steps:

1) Configure a jaas keystore login module entry in the Glassfish's login.conf file($GF_Home/domains/domain1/config/login.conf) as shown below

JAASLoginModuleForKeyStore{ required

If you are providing a callback handler for this login module , in the wsdl configuration,you don't need to configure the keyStoreAlias and keyStorePasswordURL in the config entry.


If you are using a stand alone web service/client , we have to set a property like this : where this login.conf file contains a login module entry as stated above

2) The existing way of configuring the keystore properties in wsdl looks like :

with this keystore login module feature , we can simply configure the keystore as :

or in addition, if we want to provide a custom callback handler for login module which looks like :

where the JAASLoginModuleForKeyStore is the glassfish login module config entry as shown above . Metro reads the keystoreloginmoduleconfig entry from the keystore and uses it to access the GF's config entry and thus populates the subject with certificate and privatekeys.Metro gets the certificate/privatekeys from this subject and uses them for signature/encryption.

The advantage of this feature is we can configure the PKCS#11 keystore types in addition to the default .JKS types


1) This login module feature works only for keystore's , but not for truststores .

2) If you are using a callback handler for login module , then the login module expects the TextOutputCallback, NameCallback( for specifying cert alias), PasswordCallback(for keystore password), and ConfirmationCallback(for login confirmation) in the callback handler

The sample callback handler is attached here

The sample netbeans webservice client(build/web/WEB-INF/classes/META-INF/NewWebServiceService.xml) which uses the above feature is attached here

Download the latest metro nightly builds from here

Read More about [Metro support for JAAS Keystore Login Module ...