<div dir="ltr">Stuart,<div>Thanks for addressing the problem posed. In the solution you presented, you noted that one had to "... <span style="font-size:12.8000001907349px">Add a security domain ... </span><span style="font-size:12.8000001907349px">although it will depend on how you store your user information ...</span>". </div><div><br></div><div>The crux of the matter is that the security information for the user is not on the platform. In particular, I am seeking to obtain the certificate from the request attribute <span style="font-size:12.8000001907349px">"javax.servlet.request.</span><span style="font-size:12.8000001907349px">X509Certificate" so that in an application servlet or in a ejb referenced by a JSF page, the certificate would be authenticated and authorized.</span></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px">In particular: </span></div><div><br></div><div>1. Does the configuration that you present assume that the client's certificate is in the trust store (<span style="font-size:12.8000001907349px">undertow.keystore</span>)?</div><div><br></div><div>2. Does the platform (WildFly 8.2.0) when configured as recommended use "<span style="color:rgb(61,61,61);font-family:Cabin;font-size:13px;line-height:9.75px">org.jboss.security.auth.certs.AnyCertVerifier</span>" so that it does not try to validate, but relies on the application to obtain the certificate from the request attribute <span style="font-size:12.8000001907349px">"javax.servlet.request.</span><span style="font-size:12.8000001907349px">X509Certificate" to perform authentication and authorization at the application level.</span></div><div><span style="font-size:12.8000001907349px"><br></span></div><div>Thanks in advance for your help.</div><div><br></div><div> John</div><div><span style="font-size:12.8000001907349px"><br></span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 5, 2015 at 10:52 PM, Stuart Douglas <span dir="ltr"><<a href="mailto:sdouglas@redhat.com" target="_blank">sdouglas@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">The basic steps are:<br>
<br>
In standalone.xml<br>
<br>
Add a HTTPS listener to the undertow subsystem:<br>
<br>
<https-listener name="https" socket-binding="https" security-realm="myrealm"/><br>
<br>
Add a security realm:<br>
<br>
<br>
<security-realm name="myrealm"><br>
<server-identities><br>
<ssl><br>
<keystore path="/keystores/clientcert.jks" relative-to="jboss.server.config.dir" keystore-password="mypassword" /><br>
</ssl><br>
</server-identities><br>
<authentication><br>
<truststore path="/keystores/undertow.keystore" relative-to="jboss.server.config.dir" keystore-password="mypassword" /><br>
</authentication><br>
</security-realm><br>
<br>
Add a security domains to the security subsystem, should be something like this (although it will depend on how you store your user information):<br>
<br>
<br>
<security-domain name="ssl"><br>
<jsse truststore-url="../standalone/configuration/keystores/undertow.keystore"<br>
truststore-password="mypassword"<br>
keystore-url="../standalone/configuration/keystores/clientcert.jks"<br>
keystore-password="mypassword"/><br>
</security-domain><br>
<security-domain name="client-cert"><br>
<authentication><br>
<login-module code="CertificateRoles" flag="required"><br>
<module-option name="password-stacking" value="userFirstPass"/><br>
<module-option name="securityDomain" value="ssl"/><br>
<module-option name="rolesProperties" value="../standalone/configuration/security/roles.properties"/><br>
</login-module><br>
</authentication><br>
<authorization><br>
<policy-module code="Delegating" flag="required"/><br>
</authorization><br>
<mapping><br>
<mapping-module code="DeploymentRoles" type="role"/><br>
</mapping><br>
</security-domain><br>
<br>
- Set the authentication mechanism as CLIENT_CERT in web.xml<br>
- In jboss-web.xml specify your security domain:<br>
<br>
<?xml version="1.0" encoding="UTF-8"?><br>
<jboss-web><br>
<security-domain>client-cert</security-domain><br>
</jboss-web><br>
<br>
<br>
We are taking steps to simplify this configuration, and unify (and hopefully simplify) all our SSL config, although I am not sure when this will be done.<br>
<br>
Stuart<br>
<br>
<br>
----- Original Message -----<br>
> From: "John Robinson" <<a href="mailto:jsrobin@gmail.com">jsrobin@gmail.com</a>><br>
> To: "undertow-dev" <<a href="mailto:undertow-dev@lists.jboss.org">undertow-dev@lists.jboss.org</a>><br>
> Sent: Thursday, 5 March, 2015 4:32:43 AM<br>
> Subject: [undertow-dev] SSL client authorization -- how ?<br>
><br>
> What are the detailed configuration instructions to configure<br>
> "standalone.xml", web.xml, and jboss-web.xml to set up SSL with client<br>
> authorization?<br>
><br>
> Could someone direct me to the appropriate place to find detailed<br>
> configuration information on how to have a WildFly 8.2 server evoke from a<br>
> client, a certificate under SSL.<br>
><br>
> The cerificate, I expect, would be sent via the<br>
> "javax.servlet.request.X509Certificate" request attribute.<br>
><br>
> If this is an inappropriate forum for this question, please feel free to<br>
> direct me to the correct forum.<br>
><br>
> Thanks in advance for your help.<br>
><br>
> _______________________________________________<br>
> undertow-dev mailing list<br>
> <a href="mailto:undertow-dev@lists.jboss.org">undertow-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/undertow-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/undertow-dev</a><br>
</blockquote></div><br></div>