Quickstart jaxrs-jwt: how to use it with TLS/SSL ?
rbattenfeld Jun 19, 2019 9:13 AMHi
I am looking for a way to enable one-way ssl in order to secure the communication with the rest client based, when a client requests a new token. In your web app, a user is first authenticated with username/password, and when authenticated, a new token is replied.
We already have tls/ssl enabled for other web applications but we struggle a bit to put both settings together so that the token exchange is secured by tls/ssl (one-way-ssl).
Here are the key stores: one for the jwt token, one for the ssl certificate
<tls> <key-stores> <key-store name="ncdrJwtStore"> <credential-reference clear-text="MASK-3e5W...."/> <implementation type="JKS"/> <file path="C:/deve...."/> </key-store> <key-store name="ncdrKeyStore"> <credential-reference clear-text="MASK-3e5...."/> <implementation type="JKS"/> <file path="C:/dev...."/> </key-store> </key-stores> <key-managers> <key-manager name="ncdrKeyManager" key-store="ncdrKeyStore"> <credential-reference clear-text="MASK-3e5...."/> </key-manager> </key-managers> <server-ssl-contexts> <server-ssl-context name="ncdrSSLContext" protocols="TLSv1.2" key-manager="ncdrKeyManager"/> </server-ssl-contexts> </tls>
Here are the undertow settings:
<subsystem xmlns="urn:jboss:domain:undertow:8.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other"> <buffer-cache name="default"/> <server name="default-server"> <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/> <https-listener name="https" socket-binding="https" ssl-context="ncdrSSLContext" enable-http2="true"/> <host name="default-host" alias="localhost"> <location name="/" handler="welcome-content"/> <http-invoker security-realm="ApplicationRealm"/> </host> </server> <servlet-container name="default"> <jsp-config/> <websockets/> </servlet-container> <handlers> <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/> </handlers> <application-security-domains> <application-security-domain name="other" http-authentication-factory="jwt-http-authentication"/> </application-security-domains> </
Here is the web.xml, with transport-guarantee CONFIDENTIAL:
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" version="3.1"> <security-constraint> <web-resource-collection> <web-resource-name>HtmlAdaptor</web-resource-name> <description>Restrict access to specified roles.</description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> <http-method-omission>OPTIONS</http-method-omission> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>.... Application</realm-name> </login-config> <security-role> <role-name>*</role-name> </security-role> </web-app>
Does it maybe just need a second application-security-domain?
Regards,
Ralf