11:02 a.m.
On 27/06/13 16:14, Bill Burke wrote:
You can just pass in a dummy trust manager.
Yes we use custom trust managers in a couple of places.
The response from this method may only be applicable to web browsers but
I seem to remember there was something that the browser relied on this
information coming from the server to decide which certificates the
client could choose from.
For a client where this is entirely in it's control this may not be an
issue.
I am not against what you are asking for, let me try it out again and I
will see what options we have for a trust anything config, even for our
Client Cert scenario integrating with PicketLink it may be easier for us
to trust anything and then compare with PicketLink at the time a secured
resource is accessed.
Regards,
Darran Lofthouse.
On 6/27/2013 11:04 AM, Darran Lofthouse wrote:
> I will have another look, last time I looked into this however there did
> seem to be a need for list of accepted issuers of certificates to be
> returned from the X509TrustManager in use: -
>
> X509Certificate[] getAcceptedIssuers()
>
> Regards,
> Darran Lofthouse.
>
>
> On 27/06/13 14:10, Bill Burke wrote:
>> Its an IDM SaaS, so different realms will have different security
>> models. It should be possible from a NIO perspective, no? Last time I
>> looked at that stuff it did seem possible.
>>
>> On 6/27/2013 5:47 AM, Darran Lofthouse wrote:
>>> I will check for you but from last time I worked on this I am not sure
>>> if that is possible - I think a valid trust store was still required
>>> server side to verify the remote certificate - even if it was just a
>>> trust store containing certificate authority certificates.
>>>
>>> Do your clients definitely not have a least a common certificate
>>> authority signing their certificates?
>>>
>>> Regards,
>>> Darran Lofthouse.
>>>
>>>
>>> On 26/06/13 23:57, Bill Burke wrote:
>>>> Sorry, I want to be able to validate the client cert within the
>>>> application servlet.
>>>>
>>>> On 6/26/2013 6:56 PM, Bill Burke wrote:
>>>>> I think you misunderstood me. Not looking for client-cert auth. I
want
>>>>> to be able to validate the client server within the application
servlet.
>>>>>
>>>>> On 6/26/2013 6:50 PM, Tomaz Cerar wrote:
>>>>>> It can do it already but config is going to change in future.
>>>>>>
>>>>>> Take a look at WebCERTTestsSecurityDomainSetup in testsuite on
how to do it.
>>>>>>
>>>>>> Basicly you have to setup securityRealm with server ssl cert,
then setup
>>>>>> securtiy constraints for web app
>>>>>>
>>>>>> That test we have in testsuite also tests mapping client certs to
users via
>>>>>> CertificateRoles security module.
>>>>>>
>>>>>> --
>>>>>> tomaz
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: undertow-dev-bounces(a)lists.jboss.org
[mailto:undertow-dev-
>>>>>>> bounces(a)lists.jboss.org] On Behalf Of Bill Burke
>>>>>>> Sent: Thursday, June 27, 2013 12:11 AM
>>>>>>> To: undertow-dev(a)lists.jboss.org
>>>>>>> Subject: [undertow-dev] certs
>>>>>>>
>>>>>>> I need to be able to client certs in the following manner:
>>>>>>>
>>>>>>> * Set the server to WANT client certs so that it is optional
>>>>>>> * Obtain certificate at the servlet layer so I can validate
it myself.
>>>>>>>
>>>>>>> Can Undertow do these yet? Just want to know so I can create
the
>>>>>>> appropriate jiras.
>>>>>>>
>>>>>>> --
>>>>>>> Bill Burke
>>>>>>> JBoss, a division of Red Hat
>>>>>>> http://bill.burkecentral.com
>>>>>>> _______________________________________________
>>>>>>> undertow-dev mailing list
>>>>>>> undertow-dev(a)lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>>>>>
>>>>>
>>>>
>>> _______________________________________________
>>> undertow-dev mailing list
>>> undertow-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>>
>>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
>