[jboss-user] [Security & JAAS/JBoss] - RMI over SSL - mutual authentication

Evka do-not-reply at jboss.com
Wed Dec 13 04:46:56 EST 2006


Hello everybody.
I've tried to configure Jboss to use RMI over SSL to access my Session beans. It works fine only that way, the server sends it's certificate key to the client and client must have it in it's trust store, but the client isn't required to send it's certificate key to the server and server doesn't control it. Could you please help me? What am I doing wrong?

The service XML file deployed on server:

  | <?xml version="1.0" encoding="UTF-8"?>
  | <server>
  | 
  |   <!-- The SSL domain setup -->
  |   <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
  |        name="jboss.security:service=JaasSecurityDomain,domain=RMI+SSL">
  |     <constructor>
  |         <arg type="java.lang.String" value="RMI+SSL"/>
  |     </constructor>
  |     <attribute name="KeyStoreURL">d:/jboss-4.0.4.GA/server/suc/certs/ServerKeyTrust.jks</attribute>
  |     <attribute name="KeyStorePass">password</attribute>
  |     <attribute name="TrustStoreURL">d:/jboss-4.0.4.GA/server/suc/certs/ServerKeyTrust.jks</attribute>
  |     <attribute name="TrustStorePass">password</attribute>
  |     <attribute name="ManagerServiceName">jboss.security:service=JaasSecurityManager</attribute>
  | </mbean> 
  | 
  | <mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
  |       name="jboss.security:service=invoker,type=jrmp,socketType=SSLSocketFactory,wantsClientAuth=true">
  |       <attribute name="RMIObjectPort">14445</attribute>
  |       <attribute name="RMIClientSocketFactory">org.jboss.security.ssl.RMISSLClientSocketFactory
  |       </attribute>
  |       <attribute name="RMIServerSocketFactoryBean"
  |          attributeClass="org.jboss.security.ssl.RMISSLServerSocketFactory"
  |          serialDataType="javaBean">
  |          <property name="bindAddress">${jboss.bind.address}</property>
  |          <property name="securityDomain">java:/jaas/RMI+SSL</property>
  |          <property name="wantsClientAuth">true</property>
  |          <property name="needsClientAuth">true</property>
  |       </attribute>
  |       <depends>jboss.security:service=JaasSecurityDomain,domain=RMI+SSL</depends>
  |    </mbean>
  | </server>
  | 

Part of the definition in jboss.xml in my deployed application:

  | <session>
  |          <ejb-name>SlSbModule</ejb-name>
  |          <jndi-name>ejb/SlSbModule</jndi-name>
  |          <local-jndi-name>SlSbModuleLocal</local-jndi-name>
  | 		<invoker-bindings>
  |                <invoker>
  |                    <invoker-proxy-binding-name>
  |                        stateless-ssl-invoker
  |                    </invoker-proxy-binding-name>
  |                </invoker>
  |                <call-logging>true</call-logging>
  |            </invoker-bindings>
  |       </session>
  | ...
  | <invoker-proxy-bindings>
  |         <invoker-proxy-binding>
  |             <name>stateless-ssl-invoker</name>
  |             <!--  invoker-mbean>jboss:service=invoker,type=jrmp,socketType=SSL</invoker-mbean -->
  | 			<invoker-mbean>jboss.security:service=invoker,type=jrmp,socketType=SSLSocketFactory,wantsClientAuth=true</invoker-mbean>
  |             <proxy-factory>org.jboss.proxy.ejb.ProxyFactory</proxy-factory>
  |             <proxy-factory-config>
  |             <client-interceptors>
  |                 <home>
  |                     <interceptor>org.jboss.proxy.ejb.HomeInterceptor</interceptor>
  |                     <interceptor>org.jboss.proxy.SecurityInterceptor</interceptor>
  |                     <interceptor>org.jboss.proxy.TransactionInterceptor</interceptor>
  |                     <interceptor>org.jboss.invocation.InvokerInterceptor</interceptor>
  |                 </home>
  |                 <bean>
  |                     <interceptor>org.jboss.proxy.ejb.StatelessSessionInterceptor</interceptor>
  |                     <interceptor>org.jboss.proxy.SecurityInterceptor</interceptor>
  |                     <interceptor>org.jboss.proxy.TransactionInterceptor</interceptor>
  |                     <interceptor>org.jboss.invocation.InvokerInterceptor</interceptor>
  |                 </bean>
  |             </client-interceptors>
  |             </proxy-factory-config>
  |         </invoker-proxy-binding>
  |     </invoker-proxy-bindings>
  | 

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3993308#3993308

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3993308



More information about the jboss-user mailing list