1 Reply Latest reply on Oct 23, 2015 3:47 PM by jmichaelstewart

    client certificate authentication

    quentinvw
    quentinvw Mar 19, 2015 6:29 AM

      Hello all !

       

      I come here looking for help because I'm actually not sure what I want to do is possible.

      So, I have a Wildfly 8.1 server running. On this server I have deployed 2 web service REST. I need to configure SSL transport for both of them but for the first one, I want mutual authentication (client and server) and for the second one I just want server authentication. I tried using security-domain with Certificate and jsse but I can't make it work...

       

      For the record, I have tried global configuration of my ssl-realm with mutual authentication and it worked just fine.

      What doesn't work is making client_cert authentication mandatory on one of my REST web service. When I try to connect to it, I seem to be redirected to the global configuration of ssl-realm and the server doesn't ask for my client certificate.

       

      Here are my wildfly and web.xml configurations

       

      Wildfly

      ...

                <security-realm name="ssl-realm">

                      <server-identities>

                          <ssl protocol="SSL">

                              <keystore path="wildflyKeystore.jks" relative-to="jboss.server.config.dir" keystore-password="test" alias="alerter (telemis)" key-password="test"/>

                          </ssl>

                      </server-identities>

                  </security-realm>

      ...

                    <security-domain name="SSLClientCert">

                          <authentication>

                              <login-module code="Certificate" flag="required">

                                  <module-option name="securityDomain" value="cert"/>

                              </login-module>

                          </authentication>

                      </security-domain>

                      <security-domain name="cert">

                          <jsse truststore-password="test" truststore-url="file:${jboss.server.config.dir}/wildflyTruststore.jks" client-auth="true"/>

                      </security-domain>

      ...

                <https-listener name="default-https" socket-binding="https" security-realm="ssl-realm" verify-client="REQUESTED"/>

       

      Web.xml

      ...

          <security-constraint>

          <web-resource-collection>

              <web-resource-name>webresources</web-resource-name>

              <url-pattern>/webresources/*</url-pattern>

              <http-method>POST</http-method>

              <http-method>GET</http-method>

          </web-resource-collection>

          <user-data-constraint>

              <transport-guarantee>CONFIDENTIAL</transport-guarantee>

          </user-data-constraint>

          </security-constraint>

        

          <login-config>

              <auth-method>CLIENT-CERT</auth-method>

              <realm-name>ssl-realm</realm-name>

          </login-config>

       

      jboss-web.xml

       

      <?xml version="1.0" encoding="UTF-8"?>

      <jboss-web>

          <security-domain>java:/jaas/SSLClientCert</security-domain>

      </jboss-web>

       

       

      Thank you for your time !

      • 3161 Views
      • Tags: