[jboss-user] [Security & JAAS/JBoss] - Problem - if USB Token is removed, web application must not
ensoreus
do-not-reply at jboss.com
Thu Apr 16 08:22:23 EDT 2009
Hi,
I'm using JBoss 4.2.2.GA for a J2EE web application, running on a secured VPN. The application must all be SSL-enabled and the users accesing it must have an USB eToken Pro (with their client certificate on it). The application runs on Internet Explorer 7 (client requirement).
If the user removes the usb token the web application must not allow any other operation. If I run the application on Firefox 3, remove the token and then try to continue with the application an error message appears:
anonymous wrote : Secure Connection Failed
| PKCS#11 token was inserted or removed while operation was in progress.
| (Error code: ssl_error_token_insertion_removal)
Internet Explorer 7 doesn't have the same behavior if I remove the token.
On IE7 the application behaves the same even if I remove the token.
Can someone give me some advice on how to configure this behavior on JBoss (when the user removes the token, the application must not be accessible anymore) ? How can I enforce client certificate authentication not just at login time, but more frequently so if the user removes the token the application must not be accessible anymore ?
In Apache Http Server there is an option to configure the SSL Session Timeout, but could not find this in JBoss AS (in embedded Tomcat):
anonymous wrote : Apache Http Server
| # SessionCache Timeout:
| # This directive sets the timeout in seconds for the information stored
| # in the global/inter-process SSL Session Cache. It can be set as low as
| # 15 for testing, but should be set to higher values like 300 in real life.
| SSLSessionCacheTimeout 30
The SSL Connector in JBoss is configured as follows:
<!-- SSL/TLS Connector with encrypted keystore/truststore password configuration -->
| <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
| maxThreads="150" scheme="https" secure="true"
| clientAuth="true" strategy="ms"
| address="${jboss.bind.address}"
| sslProtocol = "TLS"
| securityDomain="java:/jaas/security-domain"
| SSLImplementation="org.jboss.net.ssl.JBossImplementation" />
The JaasSecurityDomain MBean is configured like this:
<server>
| <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
| name="jboss.security:service=SecurityDomain">
| <constructor>
| <arg type="java.lang.String" value="security-domain"></arg>
| </constructor>
| <attribute name="KeyStoreURL">${jboss.server.home.dir}/conf/server.keystore</attribute>
| <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/serverKeystore.password</attribute>
| <attribute name="TrustStoreURL">${jboss.server.home.dir}/conf/user.truststore</attribute>
| <attribute name="TrustStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/userTruststore.password</attribute>
| <attribute name="Salt">jbossserver</attribute>
| <attribute name="IterationCount">13</attribute>
| </mbean>
| </server>
Any help at all would be highly appreciated.
Thanks.
Andrei
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4225896#4225896
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4225896
More information about the jboss-user
mailing list