2 Replies Latest reply on Sep 8, 2006 4:11 AM by pchojniak

EJB client and its authentication by the client certificate?

gfzhang Mar 24, 2006 3:43 AM

I have read chap8 Security on JBoss in JBoss Admin Development Guide.

About 8.7 Using SSL with JBoss using JSSE, I want to know how could I do if I require the client authentication in SSL, that is, like what we did by calling SSLSocket.setNeedClientAuth()).

About JAAS and the EJB client authentication, if I want the client to be authenticated by its certificate (for example, using BaseCertLoginModule), how should I do in the EJB client? I mean what client login module should I use? should I have to develop a client login module myself(how?)?

Is there any sample or document that described the client certifcate authenticate about the EJB client?

Thanks.

1. Re: EJB client and its authentication by the client certific

starksm64 Mar 28, 2006 1:08 PM (in response to gfzhang)

Support for this was just recently added to the pooled invoker. See
testsuite/src/resources/pooled/jboss-service.xml for an example:

<?xml version="1.0" encoding="UTF-8"?>

<server>

 <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
 name="jboss.security:service=JaasSecurityDomain,domain=pooled-ssl">
 <constructor>
 <arg type="java.lang.String" value="pooled-ssl"/>
 </constructor>
 <attribute name="KeyStoreURL">resource:localhost.keystore</attribute>
 <attribute name="KeyStorePass">unit-tests-server</attribute>
 <attribute name="TrustStoreURL">resource:localhost.keystore</attribute>
 <attribute name="TrustStorePass">unit-tests-server</attribute>
 <attribute name="Salt">abcdefgh</attribute>
 <attribute name="IterationCount">13</attribute>
 </mbean>

 <mbean code="org.jboss.invocation.pooled.server.PooledInvoker"
 name="jboss:service=invoker,type=pooled,socketType=SSLSocketFactory,wantsClientAuth=true">
 <attribute name="NumAcceptThreads">1</attribute>
 <attribute name="MaxPoolSize">300</attribute>
 <attribute name="ClientMaxPoolSize">300</attribute>
 <attribute name="SocketTimeout">60000</attribute>
 <attribute name="ServerBindAddress">${jboss.bind.address}</attribute>
 <attribute name="ServerBindPort">0</attribute>
 <attribute name="ClientConnectAddress">${jboss.bind.address}</attribute>
 <attribute name="ClientConnectPort">0</attribute>
 <attribute name="ClientRetryCount">1</attribute>
 <attribute name="EnableTcpNoDelay">false</attribute>

 <!-- Customized socket factory attributes -->
 <attribute name="ClientSocketFactoryName">org.jboss.security.ssl.ClientSocketFactory</attribute>
 <attribute name="ServerSocketFactory"
 attributeClass="org.jboss.security.ssl.DomainServerSocketFactory"
 serialDataType="javaBean">
 <property name="bindAddress">${jboss.bind.address}</property>
 <property name="securityDomain">java:/jaas/pooled-ssl</property>
 <property name="wantsClientAuth">true</property>
 <property name="needsClientAuth">true</property>
 <property name="CiperSuites">TLS_DHE_DSS_WITH_AES_128_CBC_SHA</property>
 <property name="Protocols">SSLv2Hello,SSLv3,TLSv1</property>
 </attribute>
 </mbean>

 <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
 name="jboss.security.tests:service=LoginConfig,policy=pooled-ssl">
 <attribute name="PolicyConfig" serialDataType="jbxb">
 <jaas:policy
 xsi:schemaLocation="urn:jboss:security-config:4.1 resource:security-config_4_1.xsd"
 xmlns:jaas="urn:jboss:security-config:4.1"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 >
 <jaas:application-policy name="pooled-ssl">
 <jaas:authentication>
 <jaas:login-module code="org.jboss.security.auth.spi.BaseCertLoginModule"
 flag = "required">
 <jaas:module-option name="password-stacking">useFirstPass</jaas:module-option>
 <jaas:module-option name="securityDomain">java:/jaas/pooled-ssl</jaas:module-option>
 </jaas:login-module>
 <jaas:login-module code="org.jboss.security.auth.spi.XMLLoginModule"
 flag="required">
 <jaas:module-option name="password-stacking">useFirstPass</jaas:module-option>
 <jaas:module-option name="userInfo">
 <ur:users
 xsi:schemaLocation="urn:jboss:user-roles:1.0 resource:user-roles_1_0.xsd"
 xmlns:ur="urn:jboss:user-roles:1.0">
 <ur:user name="CN=unit-tests-client, OU=JBoss Inc., O=JBoss Inc., ST=Washington, C=US" password="">
 <ur:role name="Echo"/>
 </ur:user>
 </ur:users>
 </jaas:module-option>
 <jaas:module-option name="unauthenticatedIdentity">guest</jaas:module-option>
 </jaas:login-module>
 </jaas:authentication>
 </jaas:application-policy>
 </jaas:policy>
 </attribute>
 <depends optional-attribute-name="LoginConfigService">
 jboss.security:service=XMLLoginConfig
 </depends>
 <depends optional-attribute-name="SecurityManagerService">
 jboss.security:service=JaasSecurityManager
 </depends>
 </mbean>

</server>

2. Re: EJB client and its authentication by the client certific

pchojniak Sep 8, 2006 4:11 AM (in response to gfzhang)

Hi

I'm not sure that this answer coresponds to posted questions!

I have the same problem I want to use "ssl Client" credential and principal to use them in my own AuthorizationLoginModule. As I understand ssl, it authenticates client so we do not need to authenticate client in BaseCertLoginModule again, why not take the credential and principal from ssl and put them into sharedState.

Do I have to use LoginContext when I use SSL?!
Actions

Go to original post