[undertow-dev] certs

[Darran Lofthouse]

On 27/06/13 16:14, Bill Burke wrote:
> You can just pass in a dummy trust manager.

Yes we use custom trust managers in a couple of places.

The response from this method may only be applicable to web browsers but 
I seem to remember there was something that the browser relied on this 
information coming from the server to decide which certificates the 
client could choose from.

For a client where this is entirely in it's control this may not be an 
issue.

I am not against what you are asking for, let me try it out again and I 
will see what options we have for a trust anything config, even for our 
Client Cert scenario integrating with PicketLink it may be easier for us 
to trust anything and then compare with PicketLink at the time a secured 
resource is accessed.

Regards,
Darran Lofthouse.

> On 6/27/2013 11:04 AM, Darran Lofthouse wrote:
>> I will have another look, last time I looked into this however there did
>> seem to be a need for list of accepted issuers of certificates to be
>> returned from the X509TrustManager in use: -
>>
>>      X509Certificate[] getAcceptedIssuers()
>>
>> Regards,
>> Darran Lofthouse.
>>
>>
>> On 27/06/13 14:10, Bill Burke wrote:
>>> Its an IDM SaaS, so different realms will have different security
>>> models.  It should be possible from a NIO perspective, no?  Last time I
>>> looked at that stuff it did seem possible.
>>>
>>> On 6/27/2013 5:47 AM, Darran Lofthouse wrote:
>>>> I will check for you but from last time I worked on this I am not sure
>>>> if that is possible - I think a valid trust store was still required
>>>> server side to verify the remote certificate - even if it was just a
>>>> trust store containing certificate authority certificates.
>>>>
>>>> Do your clients definitely not have a least a common certificate
>>>> authority signing their certificates?
>>>>
>>>> Regards,
>>>> Darran Lofthouse.
>>>>
>>>>
>>>> On 26/06/13 23:57, Bill Burke wrote:
>>>>> Sorry, I want to be able to validate the client cert within the
>>>>> application servlet.
>>>>>
>>>>> On 6/26/2013 6:56 PM, Bill Burke wrote:
>>>>>> I think you misunderstood me.  Not looking for client-cert auth.  I want
>>>>>> to be able to validate the client server within the application servlet.
>>>>>>
>>>>>> On 6/26/2013 6:50 PM, Tomaz Cerar wrote:
>>>>>>> It can do it already but config is going to change in future.
>>>>>>>
>>>>>>> Take a look at WebCERTTestsSecurityDomainSetup in testsuite on how to do it.
>>>>>>>
>>>>>>> Basicly you have to setup securityRealm with server ssl cert, then setup
>>>>>>> securtiy constraints for web app
>>>>>>>
>>>>>>> That test we have in testsuite also tests mapping client certs to users via
>>>>>>> CertificateRoles security module.
>>>>>>>
>>>>>>> --
>>>>>>> tomaz
>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: undertow-dev-bounces at lists.jboss.org [mailto:undertow-dev-
>>>>>>>> bounces at lists.jboss.org] On Behalf Of Bill Burke
>>>>>>>> Sent: Thursday, June 27, 2013 12:11 AM
>>>>>>>> To: undertow-dev at lists.jboss.org
>>>>>>>> Subject: [undertow-dev] certs
>>>>>>>>
>>>>>>>> I need to be able to client certs in the following manner:
>>>>>>>>
>>>>>>>> * Set the server to WANT client certs so that it is optional
>>>>>>>> * Obtain certificate at the servlet layer so I can validate it myself.
>>>>>>>>
>>>>>>>> Can Undertow do these yet?  Just want to know so I can create the
>>>>>>>> appropriate jiras.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Bill Burke
>>>>>>>> JBoss, a division of Red Hat
>>>>>>>> http://bill.burkecentral.com
>>>>>>>> _______________________________________________
>>>>>>>> undertow-dev mailing list
>>>>>>>> undertow-dev at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>>>>>>
>>>>>>
>>>>>
>>>> _______________________________________________
>>>> undertow-dev mailing list
>>>> undertow-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>>>
>>>
>> _______________________________________________
>> undertow-dev mailing list
>> undertow-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>
>