Manual prompting of Certificate (Wildfly 9)

drew_l_w Aug 11, 2015 9:06 AM

Hi,

I am attempting to implement login logic that includes the ability to submit a X509Certificate as your credential for login. The issue I'm running into is that with my current configuration in the standalone.xml I am receiving certificate prompts whenever I enter an https address rather than the desired behavior, which is when a user clicks a button. Is there anyway for me to configure the server to only allow prompting when I request the certificate(s) in a servlet?

My current configuration contains a security-realm with a keystore and truststore specified, a security-domain with the jsse tag specified for the keystore and truststore, and an https-listener configured to use the security-realm mentioned prior.

Thanks for your time.

1. Re: Manual prompting of Certificate (Wildfly 9)

ctomc Aug 12, 2015 6:23 AM (in response to drew_l_w)

As Darran said certificates are only exchanged on establishing/negotiation of SSL connection.

However you can configure your server and application to force re-negotiation of SSL connection with requesting the certificate.

in undertow subsystem on https-listener set verify-client="REQUESTED" not REQUIRED as you probably have now.
next thing is to configure your application.
to your web.xml add something along this lines:

<security-constraint> <web-resource-collection> <web-resource-name>Everything</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config>

where url-pattern should be part of your application path that requires client certificate.
probably something like /protected/*
Actions