[undertow-dev] SSL client authorization -- how ?

Stuart Douglas sdouglas at redhat.com
Thu Mar 5 22:52:03 EST 2015 

The basic steps are:

In standalone.xml

Add a HTTPS listener to the undertow subsystem:

<https-listener name="https" socket-binding="https" security-realm="myrealm"/>

Add a security realm:


            <security-realm name="myrealm">
                <server-identities>
                    <ssl>
                        <keystore path="/keystores/clientcert.jks" relative-to="jboss.server.config.dir" keystore-password="mypassword" />
                   </ssl>
                </server-identities>
                <authentication>
                    <truststore path="/keystores/undertow.keystore" relative-to="jboss.server.config.dir" keystore-password="mypassword" />
                </authentication>
            </security-realm>

Add a security domains to the security subsystem, should be something like this (although it will depend on how you store your user information):


                <security-domain name="ssl">
                    <jsse truststore-url="../standalone/configuration/keystores/undertow.keystore"
                          truststore-password="mypassword"
                          keystore-url="../standalone/configuration/keystores/clientcert.jks"
                          keystore-password="mypassword"/>
                </security-domain>
                <security-domain name="client-cert">
                    <authentication>
                        <login-module code="CertificateRoles" flag="required">
                            <module-option name="password-stacking" value="userFirstPass"/>
                            <module-option name="securityDomain" value="ssl"/>
                            <module-option name="rolesProperties" value="../standalone/configuration/security/roles.properties"/>
                        </login-module>
                     </authentication>
                    <authorization>
                        <policy-module code="Delegating" flag="required"/>
                    </authorization>
                    <mapping>
                        <mapping-module code="DeploymentRoles" type="role"/>
                    </mapping>
               </security-domain>

- Set the authentication mechanism as CLIENT_CERT in web.xml
- In jboss-web.xml specify your security domain:

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
  <security-domain>client-cert</security-domain>
</jboss-web>


We are taking steps to simplify this configuration, and unify (and hopefully simplify) all our SSL config, although I am not sure when this will be done.

Stuart


----- Original Message -----
> From: "John Robinson" <jsrobin at gmail.com>
> To: "undertow-dev" <undertow-dev at lists.jboss.org>
> Sent: Thursday, 5 March, 2015 4:32:43 AM
> Subject: [undertow-dev] SSL client authorization -- how ?
> 
> What are the detailed configuration instructions to configure
> "standalone.xml", web.xml, and jboss-web.xml to set up SSL with client
> authorization?
> 
> Could someone direct me to the appropriate place to find detailed
> configuration information on how to have a WildFly 8.2 server evoke from a
> client, a certificate under SSL.
> 
> The cerificate, I expect, would be sent via the
> "javax.servlet.request.X509Certificate" request attribute.
> 
> If this is an inappropriate forum for this question, please feel free to
> direct me to the correct forum.
> 
> Thanks in advance for your help.
> 
> _______________________________________________
> undertow-dev mailing list
> undertow-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev

More information about the undertow-dev mailing list