Wildfly - Remote EJB client-cert authentication
xibo_flair Oct 30, 2016 11:25 PMHi all,
I'm using the latest 10.1 wildfly server for development. I'm able to lookup EJBs from a remote client application by using the PLAIN mechanism (username and password) and secured by SSL.
Is it possible to use client certificate for authentication instead of using username and password, like the way we do in browser by choosing a soft certification or by a CAC reader?
Client side configuration:
Properties prop = new Properties();
prop.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
// EJB Client Global Properties
prop.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", true);
prop.put("org.jboss.ejb.client.scoped.context", "true");
// EJB Client Connection Properties
prop.put("remote.connections", "default");
prop.put("remote.connection.default.host", "host");
prop.put("remote.connection.default.port", "port");
prop.put("remote.connection.default.protocol", "https-remoting");
prop.put("remote.connection.default.username", "userName");
prop.put("remote.connection.default.password", "password");
prop.put("remote.connection.default.connect.options.org.xnio.Options.SSL_STARTTLS", true);
prop.put("remote.connection.default.connect.options.org.xnio.Options.SSL_PROTOCOL", "TLSv1.2");
prop.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "true");
prop.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
prop.put("remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");
final EJBClientConfiguration ejbClientConfiguration = new PropertiesBasedEJBClientConfiguration(prop);
final ConfigBasedEJBClientContextSelector selector = new ConfigBasedEJBClientContextSelector(ejbClientConfiguration);
EJBClientContext.setSelector(selector);
Context context = (Context) new InitialContext(prop).lookup("ejb:");
context.lookup(...);
// do something
The server is configured with SSL.
<security-realm name="HttpsRealm">
<server-identities>
<ssl>
<keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="***" alias="SSL" key-password="***"/>
</ssl>
</server-identities>
<authentication>
<truststore path="server.trustore" relative-to="jboss.server.config.dir" keystore-password="***"/>
<local default-user="$local" skip-group-loading="true"/>
<jaas name="login-domain"/>
</authentication>
</security-realm>