Hi

I am looking for a way to enable one-way ssl in order to secure the communication with the rest client based, when a client requests a new token. In your web app, a user is first authenticated with username/password, and when authenticated, a new token is replied.

We already have tls/ssl enabled for other web applications but we struggle a bit to put both settings together so that the token exchange is secured by tls/ssl (one-way-ssl).

Here are the key stores: one for the jwt token, one for the ssl certificate

           <tls>
                <key-stores>
                    <key-store name="ncdrJwtStore">
                        <credential-reference clear-text="MASK-3e5W...."/>
                        <implementation type="JKS"/>
                        <file path="C:/deve...."/>
                    </key-store>
                    <key-store name="ncdrKeyStore">
                        <credential-reference clear-text="MASK-3e5...."/>
                        <implementation type="JKS"/>
                        <file path="C:/dev...."/>
                    </key-store>
                </key-stores>
                <key-managers>
                    <key-manager name="ncdrKeyManager" key-store="ncdrKeyStore">
                        <credential-reference clear-text="MASK-3e5...."/>
                    </key-manager>
                </key-managers>
                <server-ssl-contexts>
                    <server-ssl-context name="ncdrSSLContext" protocols="TLSv1.2" key-manager="ncdrKeyManager"/>
                </server-ssl-contexts>
            </tls>

  Here are the undertow settings:

           <subsystem xmlns="urn:jboss:domain:undertow:8.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other">
            <buffer-cache name="default"/>
            <server name="default-server">
                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
                <https-listener name="https" socket-binding="https" ssl-context="ncdrSSLContext" enable-http2="true"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <http-invoker security-realm="ApplicationRealm"/>
                </host>
            </server>
            <servlet-container name="default">
                <jsp-config/>
                <websockets/>
            </servlet-container>
            <handlers>
                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
            </handlers>
            <application-security-domains>
                <application-security-domain name="other" http-authentication-factory="jwt-http-authentication"/>
            </application-security-domains>
        </
        

Here is the web.xml, with transport-guarantee CONFIDENTIAL:

<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">

<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>Restrict access to specified roles.</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method-omission>OPTIONS</http-method-omission>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>.... Application</realm-name>
</login-config>

<security-role>
<role-name>*</role-name>
</security-role>


</web-app>

Does it maybe just need a second application-security-domain?

Regards,

Ralf