Problem - if USB Token is removed, web application must not
ensoreus Apr 16, 2009 8:22 AMHi,
I'm using JBoss 4.2.2.GA for a J2EE web application, running on a secured VPN. The application must all be SSL-enabled and the users accesing it must have an USB eToken Pro (with their client certificate on it). The application runs on Internet Explorer 7 (client requirement).
If the user removes the usb token the web application must not allow any other operation. If I run the application on Firefox 3, remove the token and then try to continue with the application an error message appears:
Secure Connection Failed
PKCS#11 token was inserted or removed while operation was in progress.
(Error code: ssl_error_token_insertion_removal)
Internet Explorer 7 doesn't have the same behavior if I remove the token.
On IE7 the application behaves the same even if I remove the token.
Can someone give me some advice on how to configure this behavior on JBoss (when the user removes the token, the application must not be accessible anymore) ? How can I enforce client certificate authentication not just at login time, but more frequently so if the user removes the token the application must not be accessible anymore ?
In Apache Http Server there is an option to configure the SSL Session Timeout, but could not find this in JBoss AS (in embedded Tomcat):
Apache Http Server
# SessionCache Timeout:
# This directive sets the timeout in seconds for the information stored
# in the global/inter-process SSL Session Cache. It can be set as low as
# 15 for testing, but should be set to higher values like 300 in real life.
SSLSessionCacheTimeout 30
The SSL Connector in JBoss is configured as follows:
<!-- SSL/TLS Connector with encrypted keystore/truststore password configuration --> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="true" strategy="ms" address="${jboss.bind.address}" sslProtocol = "TLS" securityDomain="java:/jaas/security-domain" SSLImplementation="org.jboss.net.ssl.JBossImplementation" />
The JaasSecurityDomain MBean is configured like this:
<server> <mbean code="org.jboss.security.plugins.JaasSecurityDomain" name="jboss.security:service=SecurityDomain"> <constructor> <arg type="java.lang.String" value="security-domain"></arg> </constructor> <attribute name="KeyStoreURL">${jboss.server.home.dir}/conf/server.keystore</attribute> <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/serverKeystore.password</attribute> <attribute name="TrustStoreURL">${jboss.server.home.dir}/conf/user.truststore</attribute> <attribute name="TrustStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/userTruststore.password</attribute> <attribute name="Salt">jbossserver</attribute> <attribute name="IterationCount">13</attribute> </mbean> </server>
Any help at all would be highly appreciated.
Thanks.
Andrei