The basic steps are:
In standalone.xml
Add a HTTPS listener to the undertow subsystem:
<https-listener name="https" socket-binding="https" security-realm="myrealm"/>
Add a security realm:
<security-realm name="myrealm">
<server-identities>
<ssl>
<keystore path="/keystores/clientcert.jks" relative-to="jboss.server.config.dir" keystore-password="mypassword" />
</ssl>
</server-identities>
<authentication>
<truststore path="/keystores/undertow.keystore" relative-to="jboss.server.config.dir" keystore-password="mypassword" />
</authentication>
</security-realm>
Add a security domains to the security subsystem, should be something like this (although it will depend on how you store your user information):
<security-domain name="ssl">
<jsse truststore-url="../standalone/configuration/keystores/undertow.keystore"
truststore-password="mypassword"
keystore-url="../standalone/configuration/keystores/clientcert.jks"
keystore-password="mypassword"/>
</security-domain>
<security-domain name="client-cert">
<authentication>
<login-module code="CertificateRoles" flag="required">
<module-option name="password-stacking" value="userFirstPass"/>
<module-option name="securityDomain" value="ssl"/>
<module-option name="rolesProperties" value="../standalone/configuration/security/roles.properties"/>
</login-module>
</authentication>
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
<mapping>
<mapping-module code="DeploymentRoles" type="role"/>
</mapping>
</security-domain>
- Set the authentication mechanism as CLIENT_CERT in web.xml
- In jboss-web.xml specify your security domain:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>client-cert</security-domain>
</jboss-web>
We are taking steps to simplify this configuration, and unify (and hopefully simplify) all our SSL config, although I am not sure when this will be done.
Stuart
----- Original Message -----
> From: "John Robinson" <jsrobin@gmail.com>
> To: "undertow-dev" <undertow-dev@lists.jboss.org>
> Sent: Thursday, 5 March, 2015 4:32:43 AM
> Subject: [undertow-dev] SSL client authorization -- how ?
>
> What are the detailed configuration instructions to configure
> "standalone.xml", web.xml, and jboss-web.xml to set up SSL with client
> authorization?
>
> Could someone direct me to the appropriate place to find detailed
> configuration information on how to have a WildFly 8.2 server evoke from a
> client, a certificate under SSL.
>
> The cerificate, I expect, would be sent via the
> "javax.servlet.request.X509Certificate" request attribute.
>
> If this is an inappropriate forum for this question, please feel free to
> direct me to the correct forum.
>
> Thanks in advance for your help.
>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev