1 Reply Latest reply on Jun 16, 2014 7:15 AM by fuinhaazul

Programmatic CLIENT-CERT authentication and authorization?

fuinhaazul Jun 10, 2014 7:36 PM

Hi everybody, lately im having a lot of questions :-) I spect that helps someone .

Anybody could explain to me why i need to create all the following steps to just get the client certificate (mutual authentication) ?

1 - First create the https listener.

<https-listener name="yyy" socket-binding="https" security-realm=xxx-security-realm" />

2 - define the realm with the trustable certificates and the server certificate

<security-realm name="xxx-security-realm">
                <server-identities>
                    <ssl>
                        <keystore path="server.jks" relative-to="jboss.server.config.dir" keystore-password="123456" alias="server" key-password="123456"/>
                    </ssl>
                </server-identities>
                <authentication>
                    <truststore path="truststore.jks" relative-to="jboss.server.config.dir" keystore-password="123456"/>
                </authentication>
  </security-realm>

3 - Now the problem begin. I only want that the browser send me the certificate and then get "javax.servlet.request.X509Certificate" attribute. If i change the verify-client attribute to REQUIRED it works but i just want to ask the certificated when needed. Well... I couldn't find a way to get without using security-contraints:

<security-constraint>
  <web-resource-collection>
  <web-resource-name>test-app</web-resource-name>
  <url-pattern>/CertLoginServlet</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>my-auth-role</role-name>
  </auth-constraint>
  <user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <login-config>
  <auth-method>CLIENT-CERT</auth-method>
  </login-config>
  <security-role>
  <role-name>my-auth-role</role-name>
  </security-role>

4 - I also need a login-module (in my case, my login module always return the expected role "my-auth-role")

<security-domain name="my-auth" cache-type="default">
                    <authentication>
                        <login-module code="com.xpto.custom.CustomLoginModule" flag="required"/>
                    </authentication>
                </security-domain>

5 - And more! jboss-web.xml

  <jboss-web>
  <security-domain>my-auth</security-domain>
</jboss-web>

Why the steps 3 ,4 and 5 are required? Is there a way to avoid? I want to validate the selected certificate by myself on a JSF page doing some SQL queries based on some certificate atributes.

Thanks for any explanation!!!

1. Re: Programmatic CLIENT-CERT authentication and authorization?

fuinhaazul Jun 16, 2014 7:15 AM (in response to fuinhaazul)

Sorry to 'revive' but this is something i really want to understand for future references. This is the right way?

Thanks!
Actions