9 Replies Latest reply on Jun 10, 2016 5:22 AM by mchoma

    jboss wildfly and CLIENT-CERT Configuration

    s.santilli

      Hello Community,

       

      We are converting a glassfish war/application to a jboss because we have heard many good things regarding jboss ... previously in our glassfish deployment version, we had web.xml CLIENT-CERT configured for authentication, quite simply apache would authenticate incoming requests and forward the certificate subject over to galssfish, which in turn validated the incoming requests by merely referencing the the role/principal names listed in the glassfish's sun-web.xml file. For example:

       

      <sun-web-app>
          <security-role-mapping>
             <role-name>myapp</role-name>
             <principal-name>CN=mysupport, OU=MyTeam, O=MyCompany Inc., L=MyCity, ST=MyState, C=MyCountry</principal-name>
          </security-role-mapping>
      </sun-web-app>
      

       

      Does anyone know how to do the equivalent configuration in jboss wildfly 10?

       

      Thank-you kindly

        • 1. Re: jboss wildfly and CLIENT-CERT Configuration
          nickarls

          Can't recall seeing it been done like that, usually there is a properties file or DB query for the role-mapping but someone more knowledgeable might correct me.

          • 2. Re: jboss wildfly and CLIENT-CERT Configuration
            s.santilli

            Bump anyone?

            • 3. Re: jboss wildfly and CLIENT-CERT Configuration
              mchoma

              You can try DeploymentRolesMappingProvider. It should provide functionality you request. However, I am not sure if it will work with certificates. As Nicklas suggests org.jboss.security.auth.spi.CertRolesLoginModule is, for sure, safer way to go.

              • 4. Re: jboss wildfly and CLIENT-CERT Configuration
                s.santilli

                hmm since I cannot locate any information on my original post .. does anyone have/suggest a tutorial / example on how to perform a CertRolesLoginModule 

                configuration?

                 

                Thank-you kindly

                • 5. Re: jboss wildfly and CLIENT-CERT Configuration
                  nickarls

                  A quick googling turned out

                   

                  http://stackoverflow.com/questions/29514737/how-to-configure-mutual-certificate-authentication

                   

                  that looks familiar. The properties files should be plain subject=role mappings if I recall correctly. Googling for wildfly ssl client authentication should turn up more...

                  • 6. Re: jboss wildfly and CLIENT-CERT Configuration
                    s.santilli

                    Good Day,

                     

                    My apologies if my question appears trivial, but Im a little confused ... to elaborate if my wildfly server is fronted by an apache web-server, and the apache web-server is already configured to perform the mutual authentication, than is configuring mutual authentication in wildfly additionally necessary also?

                     

                    I know in our glassfish war version, which is also fronted by an apache webserver (also performing mutual authentication) the apache is able to forward to glassfish, with certitifcate subject, once authentication passes and completes, then glassfish is configured via a sun-web.xml to recognize the passed certificate subject line to ultimately allow the request to be processed.

                     

                    I wish a similar configuration was possible in jboss/wildfly ... I guess I'm just still hopeful someone can suggest how to perform something similar within wildfly.

                     

                    Thanks

                    • 7. Re: jboss wildfly and CLIENT-CERT Configuration
                      nickarls

                      Ah, OK, I misunderstood. So the principal is passed alone (not the roles) and you want to do the role-mapping on the WildFly side (which only accepts connections from the Apache)?

                      • 8. Re: jboss wildfly and CLIENT-CERT Configuration
                        s.santilli

                        Yes, exactly and I apologize if I am doing a poor job explaining myself as I inherited this project and configuration so it is very likely I am unfamiliar with the vocabulary ... the configuration at present with apache and glassfish is as follows:

                         

                        Client ----(mutual ssl)----> Apache ----> Glassfish (sun-web.xml references the certificate)

                         

                        Whereby the sun-web.xml references the certificate via a mapping in the sun-web.xml as show below:

                         

                        <sun-web-app> 

                            <security-role-mapping> 

                               <role-name>myapp</role-name> 

                               <principal-name>CN=mysupport, OU=MyTeam, O=MyCompany Inc., L=MyCity, ST=MyState, C=MyCountry</principal-name> 

                            </security-role-mapping> 

                        </sun-web-app>

                         

                        Naturally, I am trying to achieve the equivalent in jboss wildfly 10 (I was under the impression the equivalent configuration is possible).

                         

                        Again, you can see, by referencing the sun-web.xml extract I provided, how a role is mapped to the principal-name, and the principal name

                        is merely a mapping to related to the client certificates DN (distinguished name).

                         

                        Please let me know as I am completely not certain how to achieve this as I am struggling with the jboss documentation and in a sense too ...

                        I am not overly confident I know how to define what I am looking for (with a high degree of accuracy that is).

                         

                        Thank-you kindly

                        • 9. Re: jboss wildfly and CLIENT-CERT Configuration
                          mchoma

                          How exactly does Apache sent principal-name information? In  request HTTP header? What is the name of header? Is it some standard behaviour or you have configure Apache to set custom HTTP header?

                           

                          Communication between Apache and wildfly is plain http, right?