Q: Authentication with X.509 Certs on Jboss AS7
Hi!!
I'm new on jboss AS7 and into this forum!!! (thanks to all for your help). I would like to know how to authenticate users based on X.509 Certs ("citizen" modus). I'm experiencing problems trying to translate my "old" way from 5.0.1GA to the new AS7.
Everything I did into Jboss 5.0.1GA was the following:
1 - To copy server.keystore and my-truststore.jks to $JBOSS_HOME/server/default/conf.
2 - To edit $JBOSS_HOME/server/default/deploy/jbossweb.sar/server.xml, adding a Connector:
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="true"
keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
keystorePass="mypass" sslProtocol = "TLS" truststoreFile="${jboss.server.home.dir}/conf/my-truststore.jks" truststorePass="mypass" />
3 - To copy 2 files to $JBOSS_HOME/server/default/deploy. These files are:
- certauth-service.xml -
<server> <mbean code="org.jboss.security.plugins.JaasSecurityDomain" name="jboss.security:service=SecurityDomain"> <constructor> <arg type="java.lang.String" value="certauthSecurity"></arg> </constructor> <attribute name="KeyStoreURL">truststore-catcert.jks</attribute> <attribute name="KeyStorePass">changeit</attribute> <depends>jboss.security:service=JaasSecurityManager</depends> </mbean> </server>
-certauth-citizen-jboss-beans.xml -
<?xml version="1.0" encoding="UTF-8"?> <deployment xmlns="urn:jboss:bean-deployer:2.0"> <application-policy xmlns="urn:jboss:security-beans:1.0" name="certauthSecurity"> <authentication> <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="required" > <module-option name="password-stacking">useFirstPass</module-option> <module-option name="securityDomain">java:/jaas/certauthSecurity</module-option> <module-option name="verifier">myCertificateVerifierClass</module-option> </login-module> </authentication> </application-policy> </deployment>
4 - To copy jar file which contains myCertificateVerifierClass to $JBOSS_HOME/server/default/lib.
5 - Into my $WEBAPP_HOME/WEB-INF/jboss-web.xml
<?xml version="1.0" encoding="UTF-8"?> <jboss-web> <security-domain>java:/jaas/certauthCiutadaSecurity</security-domain> </jboss-web>
6- Into my $WEBAPP_HOME/WEB-INF/web.xml
<security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>*.jsp</url-pattern> <url-pattern>*.do</url-pattern> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> <realm-name>Realm Example</realm-name> </login-config> <security-role> <description>No roles based</description> <role-name>*</role-name> </security-role>
And with AS7, I tried:
1 - server.keystore and my-truststore.jks copied to standalone/configuration
2 - Adding into standalone.xml
after extensions block:
<system-properties> <property name="javax.net.ssl.trustStore" value="mypathtol/standalone/configuration/my-truststore.jks"/> <property name="javax.net.ssl.trustStorePassword" value="mypass"/> </system-properties>
Into subsystem xmlns=urn:jboss:domain:security:1.1:
<security-domain name="certauthSecurity"> <authentication> <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="required"> <module-option name="securityDomain" value="java://jaas/certauthSecurity"/> <module-option name="verifier" value="myCertificateVerifierClass"/> <module-option name="password-stacking" value="useFirstPass"/> </login-module> </authentication> <jsse keystore-password="mypass" keystore-url="/mypathto/jboss-as-7.1.1.Final/standalone/configuration/server.keystore" truststore-password="mypass" truststore-url="/mypathto/jboss-as-7.1.1.Final/standalone/configuration/my-truststore.jks" client-auth="true"/> </security-domain>
Into subsystem xmlns="urn:jboss:domain:web:1.1", default-host:
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true"> <ssl name="ssl" password="mypass" certificate-key-file="/mypaththo/jboss-as-7.1.1.Final/standalone/configuration/server.keystore" protocol="TLSv1" verify-client="true"/> </connector>
3 - Copied certauth-service.xml and certauth-citizen-jboss-beans.xml "as is", to standalone/deployment
4 - Copied my CertificateVerifier jar to standalone/lib
5 - My webapp with jboss-web.xml and web.xml as explained before.
And when I try to boot, all I can to see is ...
13:33:49,515 INFO [org.jboss.modules] JBoss Modules version 1.1.1.GA
13:33:52,792 INFO [org.jboss.msc] JBoss MSC version 1.0.2.GA
13:33:52,991 INFO [org.jboss.as] JBAS015899: JBoss AS 7.1.1.Final "Brontes" starting
13:34:06,969 INFO [org.jboss.as.server] JBAS015888: Creating http management service using socket-binding (management-http)
13:34:06,995 INFO [org.xnio] XNIO Version 3.0.3.GA
13:34:07,272 INFO [org.xnio.nio] XNIO NIO Implementation Version 3.0.3.GA
13:34:07,317 INFO [org.jboss.remoting] JBoss Remoting version 3.2.3.GA
13:34:20,305 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC00001: Failed to start service jboss.deployment.unit."certauth-citizen-jboss-beans.xml".PARSE: org.jboss.msc.service.StartException in service jboss.deployment.unit."certauth-citizen-jboss-beans.xml".PARSE: Failed to process phase PARSE of deployment "certauth-citizen-jboss-beans.xml"
at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:119) [jboss-as-server-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811) [jboss-msc-1.0.2.GA.jar:1.0.2.GA]
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746) [jboss-msc-1.0.2.GA.jar:1.0.2.GA]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [rt.jar:1.6.0_24]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [rt.jar:1.6.0_24]
at java.lang.Thread.run(Thread.java:679) [rt.jar:1.6.0_24]
Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: JBAS017052: Failed to parse POJO xml [ "/content/certauth-citizen-jboss-beans.xml" ]
at org.jboss.as.pojo.KernelDeploymentParsingProcessor.parseDescriptor(KernelDeploymentParsingProcessor.java:156)
at org.jboss.as.pojo.KernelDeploymentParsingProcessor.parseDescriptors(KernelDeploymentParsingProcessor.java:128)
at org.jboss.as.pojo.KernelDeploymentParsingProcessor.deploy(KernelDeploymentParsingProcessor.java:83)
at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:113) [jboss-as-server-7.1.1.Final.jar:7.1.1.Final]
... 5 more
13:34:23,009 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC00001: Failed to start service jboss.deployment.unit."certauth-service.xml".INSTALL: org.jboss.msc.service.StartException in service jboss.deployment.unit."certauth-service.xml".INSTALL: Failed to process phase INSTALL of deployment "certauth-service.xml"
at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:119) [jboss-as-server-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811) [jboss-msc-1.0.2.GA.jar:1.0.2.GA]
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746) [jboss-msc-1.0.2.GA.jar:1.0.2.GA]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [rt.jar:1.6.0_24]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [rt.jar:1.6.0_24]
at java.lang.Thread.run(Thread.java:679) [rt.jar:1.6.0_24]
Caused by: java.lang.IllegalArgumentException: JBAS017220: Class not found
at org.jboss.as.service.ReflectionUtils.getClass(ReflectionUtils.java:115)
at org.jboss.as.service.ReflectionUtils.getClassHierarchy(ReflectionUtils.java:122)
at org.jboss.as.service.ParsedServiceDeploymentProcessor.addServices(ParsedServiceDeploymentProcessor.java:108)
at org.jboss.as.service.ParsedServiceDeploymentProcessor.deploy(ParsedServiceDeploymentProcessor.java:99)
at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:113) [jboss-as-server-7.1.1.Final.jar:7.1.1.Final]
... 5 more
Caused by: java.lang.ClassNotFoundException: org.jboss.security.plugins.JaasSecurityDomain from [Module "deployment.certauth-service.xml:main" from Service Module Loader]
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:468)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:456)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:423)
at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398)
at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:120)
at java.lang.Class.forName0(Native Method) [rt.jar:1.6.0_24]
at java.lang.Class.forName(Class.java:264) [rt.jar:1.6.0_24]
at org.jboss.as.service.ReflectionUtils.getClass(ReflectionUtils.java:113)
... 9 more
13:34:57,803 ERROR [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 1) JBAS014654: Composite operation was rolled back
13:34:57,897 ERROR [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 1) {"JBAS014653: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-2" => {"JBAS014671: Failed services" => {"jboss.deployment.unit.\"certauth-citizen-jboss-beans.xml\".PARSE" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\"certauth-citizen-jboss-beans.xml\".PARSE: Failed to process phase PARSE of deployment \"certauth-citizen-jboss-beans.xml\""}}}}
13:34:57,899 ERROR [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 1) JBAS014654: Composite operation was rolled back
13:34:57,900 ERROR [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 1) JBAS014654: Composite operation was rolled back
^C13:38:16,559 INFO [org.jboss.as.logging] JBAS011503: Restored bootstrap log handlers
13:38:16,842 INFO [com.arjuna.ats.jbossatx] ARJUNA032018: Destroying TransactionManagerService
13:38:16,844 INFO [com.arjuna.ats.jbossatx] ARJUNA032014: Stopping transaction recovery manager
13:38:17,035 INFO [org.jboss.as.controller] JBAS014774: Service status report
JBAS014776: Newly corrected services:
service jboss.jdbc-driver.ojdbc6_jar (new available)
13:38:17,074 INFO [org.jboss.as] JBAS015950: JBoss AS 7.1.1.Final "Brontes" stopped in 799ms
Could anyone help me to understand how to proceed with AS7 to authenticate users as explained ??
Best Regards!
:-)