-
1. Re: jboss wildfly and CLIENT-CERT Configuration
nickarls Jun 4, 2016 2:23 PM (in response to s.santilli)Can't recall seeing it been done like that, usually there is a properties file or DB query for the role-mapping but someone more knowledgeable might correct me.
-
2. Re: jboss wildfly and CLIENT-CERT Configuration
s.santilli Jun 6, 2016 3:44 PM (in response to nickarls)Bump anyone?
-
3. Re: jboss wildfly and CLIENT-CERT Configuration
mchoma Jun 7, 2016 8:56 AM (in response to s.santilli)You can try DeploymentRolesMappingProvider. It should provide functionality you request. However, I am not sure if it will work with certificates. As Nicklas suggests org.jboss.security.auth.spi.CertRolesLoginModule is, for sure, safer way to go.
-
4. Re: jboss wildfly and CLIENT-CERT Configuration
s.santilli Jun 7, 2016 1:37 PM (in response to mchoma)hmm since I cannot locate any information on my original post .. does anyone have/suggest a tutorial / example on how to perform a CertRolesLoginModule
configuration?
Thank-you kindly
-
5. Re: jboss wildfly and CLIENT-CERT Configuration
nickarls Jun 8, 2016 1:51 AM (in response to s.santilli)A quick googling turned out
http://stackoverflow.com/questions/29514737/how-to-configure-mutual-certificate-authentication
that looks familiar. The properties files should be plain subject=role mappings if I recall correctly. Googling for wildfly ssl client authentication should turn up more...
-
6. Re: jboss wildfly and CLIENT-CERT Configuration
s.santilli Jun 8, 2016 8:31 PM (in response to nickarls)Good Day,
My apologies if my question appears trivial, but Im a little confused ... to elaborate if my wildfly server is fronted by an apache web-server, and the apache web-server is already configured to perform the mutual authentication, than is configuring mutual authentication in wildfly additionally necessary also?
I know in our glassfish war version, which is also fronted by an apache webserver (also performing mutual authentication) the apache is able to forward to glassfish, with certitifcate subject, once authentication passes and completes, then glassfish is configured via a sun-web.xml to recognize the passed certificate subject line to ultimately allow the request to be processed.
I wish a similar configuration was possible in jboss/wildfly ... I guess I'm just still hopeful someone can suggest how to perform something similar within wildfly.
Thanks
-
7. Re: jboss wildfly and CLIENT-CERT Configuration
nickarls Jun 9, 2016 2:20 AM (in response to s.santilli)Ah, OK, I misunderstood. So the principal is passed alone (not the roles) and you want to do the role-mapping on the WildFly side (which only accepts connections from the Apache)?
-
8. Re: jboss wildfly and CLIENT-CERT Configuration
s.santilli Jun 9, 2016 1:57 PM (in response to nickarls)Yes, exactly and I apologize if I am doing a poor job explaining myself as I inherited this project and configuration so it is very likely I am unfamiliar with the vocabulary ... the configuration at present with apache and glassfish is as follows:
Client ----(mutual ssl)----> Apache ----> Glassfish (sun-web.xml references the certificate)
Whereby the sun-web.xml references the certificate via a mapping in the sun-web.xml as show below:
<sun-web-app>
<security-role-mapping>
<role-name>myapp</role-name>
<principal-name>CN=mysupport, OU=MyTeam, O=MyCompany Inc., L=MyCity, ST=MyState, C=MyCountry</principal-name>
</security-role-mapping>
</sun-web-app>
Naturally, I am trying to achieve the equivalent in jboss wildfly 10 (I was under the impression the equivalent configuration is possible).
Again, you can see, by referencing the sun-web.xml extract I provided, how a role is mapped to the principal-name, and the principal name
is merely a mapping to related to the client certificates DN (distinguished name).
Please let me know as I am completely not certain how to achieve this as I am struggling with the jboss documentation and in a sense too ...
I am not overly confident I know how to define what I am looking for (with a high degree of accuracy that is).
Thank-you kindly
-
9. Re: jboss wildfly and CLIENT-CERT Configuration
mchoma Jun 10, 2016 5:22 AM (in response to s.santilli)How exactly does Apache sent principal-name information? In request HTTP header? What is the name of header? Is it some standard behaviour or you have configure Apache to set custom HTTP header?
Communication between Apache and wildfly is plain http, right?