2 Replies Latest reply on Apr 6, 2006 8:48 AM by roman.angelov

    JBoss 4.0.3 client authorization - gap in the JBoss security

    roman.angelov
    roman.angelov Apr 5, 2006 10:19 AM

      Hi dear experts,
      I post a topic about the problem but I haven't answer...The problem is very sirious, I think, I followed all steps described by JBoss for configuration of SSL connection on JBoss 4.0.3 and in the
      \jboss-4.0.3SP1\jboss-4.0.3SP1\server\default\deploy\jbossweb-tomcat55.sar edited server.xml and I put

      <!-- -->
      For me it's very important client side authorization but...
      I haven't a exception...
      I have installed few certifications and all of them work well over JBoss 3.0.7 - client side authorization is performed well.
      BUT all of this certificates are invisible in JBoss 4.0.3, the end user can not be authorization, when I click over ssl link the JBoss 4.0.3 displays empty list with installed certification on the client side...
      The JBoss 4.0.3 and JBoss 3.0.7 are configured with same keystore file...
      I'm waiting for your opinions for the complex problem

      • 2484 Views
      • Tags:
        • 1. Re: JBoss 4.0.3 client authorization - gap in the JBoss secu
          starksm64
          starksm64 Apr 5, 2006 1:54 PM (in response to roman.angelov)

          There are client certs tests in the 4.0.x testsuite so with the info given I have to say its a configuration problem.

            • Actions
          • 2. Scott Stark,
            roman.angelov
            roman.angelov Apr 6, 2006 8:48 AM (in response to roman.angelov)

            First - I want to say "Thank you" for the help of Scott Stark,
            I resolved the problem with more information from the testsuite in the JBoss 4.0.3 source distribution. Really my configuration is not wrong and there isn't mistakes...but it's needed to be put addititional parameter


            <!-- -->

            truststoreFile="${jboss.server.home.dir}/conf/server2.keystore"

            without this row it's impossible for the clients to authonticate theyself, but in the server side there isn't exceptions...
            This fact is very very straight because:
            1. I created the keystore and import all certificate there like "trusted" -> keystore must be enaugh
            2. By deafault if there is not trusted certificates JBOSS has special exception for this purpose.
            Anyway I done my task and I want to say "Thank you". Have a nice day Scott Stark

              • Actions