[security-dev] Resteasy authentication

Darran Lofthouse darran.lofthouse at jboss.com
Thu Nov 29 11:32:07 EST 2012


On 11/29/2012 04:26 PM, Bill Burke wrote:
> Ya, take my proclamation with a 60% probability it is true.  I just
> remember setting up JBossWeb to "WANT" and my browser doing nothing when
> I connected.  Maybe its because my browser didn't have any certs
> installed, so it didn't bother prompting me.

That does sound familiar but at the same point if a user had not gone to 
the effort of defining a certificate that is probably exactly the kind 
of user you would want to allow the fallback to without a scary message 
popping up asking them to define a certificate.

>>> Another thing that sucks is that JBossWeb pretty much requires you to
>>> plug in a global truststore for client-certs when you configure SSL for
>>> it.  So, you can't have different truststores for different apps and
>>> have the security domain handle the verification of the client
>>> certificate.
>>
>> Yes that is a general problem as until the connection is established it
>> is not possible to identify which application is being accessed.
>
> I don't think you need to know the identity of the application at
> connection establishment. Just have JBossWeb accept all certificates,
> dispatch the request,  then verify the certificate with the bound
> Security Domain.  Am I wrong here?

That is fairly trivial if you are providing your own X509TrustManager 
implementation.

(Just to clarify I thinking about some of this more generally in AS 
terms where the restrictions of JBossWeb do not always apply)

>
>



More information about the security-dev mailing list