[security-dev] Resteasy authentication
darran.lofthouse at jboss.com
Thu Nov 29 11:32:07 EST 2012
On 11/29/2012 04:26 PM, Bill Burke wrote:
> Ya, take my proclamation with a 60% probability it is true. I just
> remember setting up JBossWeb to "WANT" and my browser doing nothing when
> I connected. Maybe its because my browser didn't have any certs
> installed, so it didn't bother prompting me.
That does sound familiar but at the same point if a user had not gone to
the effort of defining a certificate that is probably exactly the kind
of user you would want to allow the fallback to without a scary message
popping up asking them to define a certificate.
>>> Another thing that sucks is that JBossWeb pretty much requires you to
>>> plug in a global truststore for client-certs when you configure SSL for
>>> it. So, you can't have different truststores for different apps and
>>> have the security domain handle the verification of the client
>> Yes that is a general problem as until the connection is established it
>> is not possible to identify which application is being accessed.
> I don't think you need to know the identity of the application at
> connection establishment. Just have JBossWeb accept all certificates,
> dispatch the request, then verify the certificate with the bound
> Security Domain. Am I wrong here?
That is fairly trivial if you are providing your own X509TrustManager
(Just to clarify I thinking about some of this more generally in AS
terms where the restrictions of JBossWeb do not always apply)
More information about the security-dev