Stuart,
Thanks for addressing the problem posed. In the solution you presented, you
noted that one had to "... Add a security domain ... although it will
depend on how you store your user information ...".
The crux of the matter is that the security information for the user is not
on the platform. In particular, I am seeking to obtain the certificate from
the request attribute "javax.servlet.request.X509Certificate" so that in an
application servlet or in a ejb referenced by a JSF page, the certificate
would be authenticated and authorized.
In particular:
1. Does the configuration that you present assume that the client's
certificate is in the trust store (undertow.keystore)?
2. Does the platform (WildFly 8.2.0) when configured as recommended use "
org.jboss.security.auth.certs.AnyCertVerifier" so that it does not try to
validate, but relies on the application to obtain the certificate from the
request attribute "javax.servlet.request.X509Certificate" to perform
authentication and authorization at the application level.
Thanks in advance for your help.
John
On Thu, Mar 5, 2015 at 10:52 PM, Stuart Douglas <sdouglas(a)redhat.com> wrote:
The basic steps are:
In standalone.xml
Add a HTTPS listener to the undertow subsystem:
<https-listener name="https" socket-binding="https"
security-realm="myrealm"/>
Add a security realm:
<security-realm name="myrealm">
<server-identities>
<ssl>
<keystore path="/keystores/clientcert.jks"
relative-to="jboss.server.config.dir" keystore-password="mypassword"
/>
</ssl>
</server-identities>
<authentication>
<truststore path="/keystores/undertow.keystore"
relative-to="jboss.server.config.dir" keystore-password="mypassword"
/>
</authentication>
</security-realm>
Add a security domains to the security subsystem, should be something like
this (although it will depend on how you store your user information):
<security-domain name="ssl">
<jsse
truststore-url="../standalone/configuration/keystores/undertow.keystore"
truststore-password="mypassword"
keystore-url="../standalone/configuration/keystores/clientcert.jks"
keystore-password="mypassword"/>
</security-domain>
<security-domain name="client-cert">
<authentication>
<login-module code="CertificateRoles"
flag="required">
<module-option name="password-stacking"
value="userFirstPass"/>
<module-option name="securityDomain"
value="ssl"/>
<module-option name="rolesProperties"
value="../standalone/configuration/security/roles.properties"/>
</login-module>
</authentication>
<authorization>
<policy-module code="Delegating"
flag="required"/>
</authorization>
<mapping>
<mapping-module code="DeploymentRoles"
type="role"/>
</mapping>
</security-domain>
- Set the authentication mechanism as CLIENT_CERT in web.xml
- In jboss-web.xml specify your security domain:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>client-cert</security-domain>
</jboss-web>
We are taking steps to simplify this configuration, and unify (and
hopefully simplify) all our SSL config, although I am not sure when this
will be done.
Stuart
----- Original Message -----
> From: "John Robinson" <jsrobin(a)gmail.com>
> To: "undertow-dev" <undertow-dev(a)lists.jboss.org>
> Sent: Thursday, 5 March, 2015 4:32:43 AM
> Subject: [undertow-dev] SSL client authorization -- how ?
>
> What are the detailed configuration instructions to configure
> "standalone.xml", web.xml, and jboss-web.xml to set up SSL with client
> authorization?
>
> Could someone direct me to the appropriate place to find detailed
> configuration information on how to have a WildFly 8.2 server evoke from
a
> client, a certificate under SSL.
>
> The cerificate, I expect, would be sent via the
> "javax.servlet.request.X509Certificate" request attribute.
>
> If this is an inappropriate forum for this question, please feel free to
> direct me to the correct forum.
>
> Thanks in advance for your help.
>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/undertow-dev