Hi,

I am relatively new to the issue security. I have got an webapplication that runs in JBoss 5.0.1GA with a JSF-Layer (RichFaces) that communicates with EJB-SessionBeans. To store my data I have got a MySQl-Database. The users from my application have to register and have to login on a form. For authentication I use Servlet-Authentication (FORM) in combination with the jboss security module "DatabaseServerLoginModule". It works but I know that this is not very secure because the passwords are thrown via plaintext. That is the reason why I want to use SSL.

I read the tutorial SSLSetup and I configured the webdeployer of JBoss. That works. But I do not really understand the difference between the following authentication scenarios wich are described in the tutorial:

• 1 - SSL enabled on the server - the common case

• 2 - SSL enabled on the server with self-signed client certs - aka mutual authentication - standalone HTTP client

• 3 - SSL enabled on the server with self-signed client certs - aka mutual authentication - Web Browser Client

• 4 - SSL enabled on the server with an openssl CA issued client cert - aka mutual authentication with CA issued client cert

When do I need clientAuth="true" and what does it mean if I use clientAuth="false"?

If I have only configured the webdeployer in JBoss is my authentication secure? And is the communication between JSF and EJB secure?

I hope the questions are not too dumb,,,,:-)

Thanks a lot!

Nicki