Re: [undertow-dev] SSL client authorization -- how ?

The basic steps are: In standalone.xml Add a HTTPS listener to the undertow subsystem: <https-listener name="https" socket-binding="https" security-realm="myrealm"/> Add a security realm: <security-realm name="myrealm"> <server-identities> <ssl> <keystore path="/keystores/clientcert.jks" relative-to="jboss.server.config.dir" keystore-password="mypassword" /> </ssl> </server-identities> <authentication> <truststore path="/keystores/undertow.keystore" relative-to="jboss.server.config.dir" keystore-password="mypassword" /> </authentication> </security-realm> Add a security domains to the security subsystem, should be something like this (although it will depend on how you store your user information): <security-domain name="ssl"> <jsse truststore-url="../standalone/configuration/keystores/undertow.keystore" truststore-password="mypassword" keystore-url="../standalone/configuration/keystores/clientcert.jks" keystore-password="mypassword"/> </security-domain> <security-domain name="client-cert"> <authentication> <login-module code="CertificateRoles" flag="required"> <module-option name="password-stacking" value="userFirstPass"/> <module-option name="securityDomain" value="ssl"/> <module-option name="rolesProperties" value="../standalone/configuration/security/roles.properties"/> </login-module> </authentication> <authorization> <policy-module code="Delegating" flag="required"/> </authorization> <mapping> <mapping-module code="DeploymentRoles" type="role"/> </mapping> </security-domain> - Set the authentication mechanism as CLIENT_CERT in web.xml - In jboss-web.xml specify your security domain: <?xml version="1.0" encoding="UTF-8"?> <jboss-web> <security-domain>client-cert</security-domain> </jboss-web> We are taking steps to simplify this configuration, and unify (and hopefully simplify) all our SSL config, although I am not sure when this will be done. Stuart ----- Original Message -----