[jboss-user] [Security & JAAS/JBoss] - Problem - if USB Token is removed, web application must not

ensoreus do-not-reply at jboss.com
Thu Apr 16 08:22:23 EDT 2009


     I'm using JBoss 4.2.2.GA for a J2EE web application, running on a secured VPN. The application must all be SSL-enabled and the users accesing it must have an USB eToken Pro (with their client certificate on it). The application runs on Internet Explorer 7 (client requirement).

If the user removes the usb token the web application must not allow any other operation.  If I run the application on Firefox 3, remove the token and then try to continue with the application an error message appears:

anonymous wrote : Secure Connection Failed
  | PKCS#11 token was inserted or removed while operation was in progress.
  | (Error code: ssl_error_token_insertion_removal)

Internet Explorer 7 doesn't have the same behavior if I remove the token.
On IE7 the application behaves the same even if I remove the token.

Can someone give me some advice on how to configure this behavior on JBoss (when the user removes the token, the application must not be accessible anymore) ? How can I enforce client certificate authentication not just at login time, but more frequently so if the user removes the token the application must not be accessible anymore ?
In Apache Http Server there is an option to configure the SSL Session Timeout, but could not find this in JBoss AS (in embedded Tomcat):

anonymous wrote : Apache Http Server
  | #  SessionCache Timeout:
  | #  This directive sets the timeout in seconds for the information stored
  | #  in the global/inter-process SSL Session Cache. It can be set as low as
  | #  15 for testing, but should be set to higher values like 300 in real life.
  | SSLSessionCacheTimeout  30

The SSL Connector in JBoss is configured as follows:

<!-- SSL/TLS Connector with encrypted  keystore/truststore  password configuration  -->
  |     <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
  |          maxThreads="150" scheme="https" secure="true"
  | 		 clientAuth="true" strategy="ms"
  | 	     address="${jboss.bind.address}"
  |          sslProtocol = "TLS" 
  |          securityDomain="java:/jaas/security-domain"
  |          SSLImplementation="org.jboss.net.ssl.JBossImplementation" />

The JaasSecurityDomain MBean is configured like this:
  |    <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
  |       name="jboss.security:service=SecurityDomain">
  |       <constructor>
  |          <arg type="java.lang.String" value="security-domain"></arg>
  |       </constructor>
  |       <attribute name="KeyStoreURL">${jboss.server.home.dir}/conf/server.keystore</attribute>
  |       <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/serverKeystore.password</attribute>
  | 	  <attribute name="TrustStoreURL">${jboss.server.home.dir}/conf/user.truststore</attribute>
  |       <attribute name="TrustStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/userTruststore.password</attribute>
  |       <attribute name="Salt">jbossserver</attribute>
  |       <attribute name="IterationCount">13</attribute>
  |    </mbean>
  | </server>

Any help at all would be highly appreciated. 



View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4225896#4225896

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4225896

More information about the jboss-user mailing list