[undertow-dev] SSL client authorization -- how ?

John Robinson jsrobin at gmail.com
Sat Mar 7 13:47:03 EST 2015 

Stuart,
Thanks for addressing the problem posed. In the solution you presented, you
noted that one had to  "... Add a security domain  ... although it will
depend on how you store your user information ...".

The crux of the matter is that the security information for the user is not
on the platform. In particular, I am seeking to obtain the certificate from
the request attribute "javax.servlet.request.X509Certificate" so that in an
application servlet or in a ejb referenced by a JSF page, the certificate
would be authenticated and authorized.

In particular:

1. Does the configuration that you present assume that the client's
certificate is in the trust store (undertow.keystore)?

2. Does the platform (WildFly 8.2.0) when configured as recommended use "
org.jboss.security.auth.certs.AnyCertVerifier" so that it does not try to
validate, but relies on the application to obtain the certificate from the
 request attribute "javax.servlet.request.X509Certificate" to perform
authentication and authorization at the application level.

Thanks in advance for your help.

     John


On Thu, Mar 5, 2015 at 10:52 PM, Stuart Douglas <sdouglas at redhat.com> wrote:

> The basic steps are:
>
> In standalone.xml
>
> Add a HTTPS listener to the undertow subsystem:
>
> <https-listener name="https" socket-binding="https"
> security-realm="myrealm"/>
>
> Add a security realm:
>
>
>             <security-realm name="myrealm">
>                 <server-identities>
>                     <ssl>
>                         <keystore path="/keystores/clientcert.jks"
> relative-to="jboss.server.config.dir" keystore-password="mypassword" />
>                    </ssl>
>                 </server-identities>
>                 <authentication>
>                     <truststore path="/keystores/undertow.keystore"
> relative-to="jboss.server.config.dir" keystore-password="mypassword" />
>                 </authentication>
>             </security-realm>
>
> Add a security domains to the security subsystem, should be something like
> this (although it will depend on how you store your user information):
>
>
>                 <security-domain name="ssl">
>                     <jsse
> truststore-url="../standalone/configuration/keystores/undertow.keystore"
>                           truststore-password="mypassword"
>
> keystore-url="../standalone/configuration/keystores/clientcert.jks"
>                           keystore-password="mypassword"/>
>                 </security-domain>
>                 <security-domain name="client-cert">
>                     <authentication>
>                         <login-module code="CertificateRoles"
> flag="required">
>                             <module-option name="password-stacking"
> value="userFirstPass"/>
>                             <module-option name="securityDomain"
> value="ssl"/>
>                             <module-option name="rolesProperties"
> value="../standalone/configuration/security/roles.properties"/>
>                         </login-module>
>                      </authentication>
>                     <authorization>
>                         <policy-module code="Delegating" flag="required"/>
>                     </authorization>
>                     <mapping>
>                         <mapping-module code="DeploymentRoles"
> type="role"/>
>                     </mapping>
>                </security-domain>
>
> - Set the authentication mechanism as CLIENT_CERT in web.xml
> - In jboss-web.xml specify your security domain:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <jboss-web>
>   <security-domain>client-cert</security-domain>
> </jboss-web>
>
>
> We are taking steps to simplify this configuration, and unify (and
> hopefully simplify) all our SSL config, although I am not sure when this
> will be done.
>
> Stuart
>
>
> ----- Original Message -----
> > From: "John Robinson" <jsrobin at gmail.com>
> > To: "undertow-dev" <undertow-dev at lists.jboss.org>
> > Sent: Thursday, 5 March, 2015 4:32:43 AM
> > Subject: [undertow-dev] SSL client authorization -- how ?
> >
> > What are the detailed configuration instructions to configure
> > "standalone.xml", web.xml, and jboss-web.xml to set up SSL with client
> > authorization?
> >
> > Could someone direct me to the appropriate place to find detailed
> > configuration information on how to have a WildFly 8.2 server evoke from
> a
> > client, a certificate under SSL.
> >
> > The cerificate, I expect, would be sent via the
> > "javax.servlet.request.X509Certificate" request attribute.
> >
> > If this is an inappropriate forum for this question, please feel free to
> > direct me to the correct forum.
> >
> > Thanks in advance for your help.
> >
> > _______________________________________________
> > undertow-dev mailing list
> > undertow-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/undertow-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20150307/87475b4e/attachment-0001.html

More information about the undertow-dev mailing list