Stuart,

Thanks for addressing the problem posed. In the solution you presented, you noted that one had to "... Add a security domain ... although it will depend on how you store your user information ...".

The crux of the matter is that the security information for the user is not on the platform. In particular, I am seeking to obtain the certificate from the request attribute "javax.servlet.request.X509Certificate" so that in an application servlet or in a ejb referenced by a JSF page, the certificate would be authenticated and authorized.

In particular:

1. Does the configuration that you present assume that the client's certificate is in the trust store (undertow.keystore)?

2. Does the platform (WildFly 8.2.0) when configured as recommended use "org.jboss.security.auth.certs.AnyCertVerifier" so that it does not try to validate, but relies on the application to obtain the certificate from the request attribute "javax.servlet.request.X509Certificate" to perform authentication and authorization at the application level.

Thanks in advance for your help.

John

On Thu, Mar 5, 2015 at 10:52 PM, Stuart Douglas <sdouglas@redhat.com> wrote:

The basic steps are:

In standalone.xml

Add a HTTPS listener to the undertow subsystem:

<https-listener name="https" socket-binding="https" security-realm="myrealm"/>

Add a security realm:

<security-realm name="myrealm">
<server-identities>
<ssl>
<keystore path="/keystores/clientcert.jks" relative-to="jboss.server.config.dir" keystore-password="mypassword" />
</ssl>
</server-identities>
<authentication>
<truststore path="/keystores/undertow.keystore" relative-to="jboss.server.config.dir" keystore-password="mypassword" />
</authentication>
</security-realm>

Add a security domains to the security subsystem, should be something like this (although it will depend on how you store your user information):

<security-domain name="ssl">
<jsse truststore-url="../standalone/configuration/keystores/undertow.keystore"
truststore-password="mypassword"
keystore-url="../standalone/configuration/keystores/clientcert.jks"
keystore-password="mypassword"/>
</security-domain>
<security-domain name="client-cert">
<authentication>
<login-module code="CertificateRoles" flag="required">
<module-option name="password-stacking" value="userFirstPass"/>
<module-option name="securityDomain" value="ssl"/>
<module-option name="rolesProperties" value="../standalone/configuration/security/roles.properties"/>
</login-module>
</authentication>
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
<mapping>
<mapping-module code="DeploymentRoles" type="role"/>
</mapping>
</security-domain>

- Set the authentication mechanism as CLIENT_CERT in web.xml
- In jboss-web.xml specify your security domain:

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>client-cert</security-domain>
</jboss-web>

We are taking steps to simplify this configuration, and unify (and hopefully simplify) all our SSL config, although I am not sure when this will be done.

Stuart

----- Original Message -----
> From: "John Robinson" <jsrobin@gmail.com>
> To: "undertow-dev" <undertow-dev@lists.jboss.org>
> Sent: Thursday, 5 March, 2015 4:32:43 AM
> Subject: [undertow-dev] SSL client authorization -- how ?
>
> What are the detailed configuration instructions to configure
> "standalone.xml", web.xml, and jboss-web.xml to set up SSL with client
> authorization?
>
> Could someone direct me to the appropriate place to find detailed
> configuration information on how to have a WildFly 8.2 server evoke from a
> client, a certificate under SSL.
>
> The cerificate, I expect, would be sent via the
> "javax.servlet.request.X509Certificate" request attribute.
>
> If this is an inappropriate forum for this question, please feel free to
> direct me to the correct forum.
>
> Thanks in advance for your help.
>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev