Re: [security-dev] Resteasy authentication
On 11/29/2012 04:26 PM, Bill Burke wrote:
Ya, take my proclamation with a 60% probability it is true. I just
remember setting up JBossWeb to "WANT" and my browser doing nothing when
I connected. Maybe its because my browser didn't have any certs
installed, so it didn't bother prompting me.
That does sound familiar but at the same point if a user had not gone to
the effort of defining a certificate that is probably exactly the kind
of user you would want to allow the fallback to without a scary message
popping up asking them to define a certificate.
>> Another thing that sucks is that JBossWeb pretty much
requires you to
>> plug in a global truststore for client-certs when you configure SSL for
>> it. So, you can't have different truststores for different apps and
>> have the security domain handle the verification of the client
>> certificate.
>
> Yes that is a general problem as until the connection is established it
> is not possible to identify which application is being accessed.
I don't think you need to know the identity of the application at
connection establishment. Just have JBossWeb accept all certificates,
dispatch the request, then verify the certificate with the bound
Security Domain. Am I wrong here?
That is fairly trivial if you are providing your own X509TrustManager
implementation.
(Just to clarify I thinking about some of this more generally in AS
terms where the restrictions of JBossWeb do not always apply)