3 Replies Latest reply on Oct 13, 2009 4:39 AM by h.wolffenbuttel

    Intergrating Security Into JBossESB By Using CLIENT-CERT aut

    h.wolffenbuttel
    h.wolffenbuttel Oct 7, 2009 4:49 AM

      The goal is to authorise usage of a webservice by validating the CN value of the Certificate as a user.

      I have established an SSL connection using a http-provider:

      <http-provider host="localhost" name="HTTPS" port="8765">
 <property name="scheme" value="https"/>
 <property name="secure" value="true"/>
 <property name="SSLEnabled" value="true"/>
 <property name="Keystore" value="key/esb.keystore"/>
 <property name="truststoreFile" value="key/esb.keystore"/>
 <property name="truststorePass" value="xxxxxxxxx"/>
 <property name="Keypass" value="xxxxxxxxx"/>
 <property name="clientAuth" value="false"/>
 <property name="keyAlias" value="xxxxxxxxxxxxxx"/>
 <property name="maxThreads" value="20"/>
 <property name="maxSpareThreads" value="5"/>
 <property name="minSpareThreads" value="2"/>

 <http-bus busid="Http-xxxxxxx" context="/xxx/httpsgateway/xxxxx">
 <property name="authMethod" value="CLIENT-CERT"/>
 <property name="securityDomain" value="java:/jaas/CertLogin"/>
 <property name="securityRole" value="worker"/>
 </http-bus>

</http-provider>


      I have defined a policy in login-config.xml: 

       <application-policy name = "CertLogin">
 <authentication>
 <login-module code = "org.jboss.soa.esb.services.security.auth.login.CertificateLoginModule"
 flag = "required" >
 <module-option name = "keyStoreURL">key/esb.keystore</module-option>
 <module-option name = "keyStorePassword">xxxxxxxxx</module-option>
 <module-option name = "rolesPropertiesFile">props/certlogin-roles.properties</module-option>
 </login-module>
 </authentication>
 </application-policy>


      But i don't know how to get the domainName CertLogin registered. I have read that for this to work i need a web.xml and a jboss-web.xml, but i don't have a war deployment because i'm not using any selfdefined webservices, so i don't know where to put them.

      Is there another way to register the domainName CertLogin without any web.xml or jboss-web.xml? Or am i forgetting something?


      • 1337 Views
      • Tags:
        • 1. Re: Intergrating Security Into JBossESB By Using CLIENT-CERT
          h.wolffenbuttel
          h.wolffenbuttel Oct 7, 2009 5:14 AM (in response to h.wolffenbuttel)

          Just found the following website:
          http://www.jboss.org/community/wiki/BaseCertLoginModule

          It seems i need to use jmx-console domain to enable Certification authentication. Haven't implemented it yet....

            • Actions
          • 2. Re: Intergrating Security Into JBossESB By Using CLIENT-CERT
            h.wolffenbuttel
            h.wolffenbuttel Oct 7, 2009 7:26 AM (in response to h.wolffenbuttel)

            Found a way to delare my securityDomain:

            added the following code to server/{deployment}/conf/jboss-service.xml

             <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
 name="jboss.security:service=SecurityDomain">
 <constructor>
 <arg type="java.lang.String" value="CertLogin"></arg>
 </constructor>
 <attribute name="KeyStoreURL">resource:key/esb.keystore</attribute>
 <attribute name="KeyStorePass">xxxxxx</attribute>
 <depends>jboss.security:service=JaasSecurityManager</depends>
 </mbean>


            But there is always a next problem: There is a ClassCastException in the CertificateLoginModule. Already placed a topic on the ESB-Developers Forum.


              • Actions
            • 3. Re: Intergrating Security Into JBossESB By Using CLIENT-CERT
              h.wolffenbuttel
              h.wolffenbuttel Oct 13, 2009 4:39 AM (in response to h.wolffenbuttel)

              There is a way to work around the problem, but only if you settle for authentication/autorisation just on the http-portals to your ESB. The HTTP-provider can be configured on the http-bus like I already showed in my first added code example:

               <http-bus busid="Http-xxxxxxx" context="/xxx/httpsgateway/xxxxx">
 <property name="authMethod" value="CLIENT-CERT"/>
 <property name="securityDomain" value="java:/jaas/CertLogin"/>
 <property name="securityRole" value="worker"/>
 </http-bus>


              You can use a different role for each http-bus to ad authorisation to that service. For this to work you need to add an application-policy with two modules: 
               <application-policy name = "CertLogin">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule"
 flag = "required">
 <module-option name="password-stacking">useFirstPass</module-option>
 <module-option name="securityDomain">java:/jaas/CertLogin</module-option>
 <module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option>
 </login-module>
 <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
 flag = "required">
 <module-option name="password-stacking">useFirstPass</module-option>
 <module-option name="defaultUsersProperties">props/certlogin-users.properties</module-option>
 <module-option name="defaultRolesProperties">props/certlogin-roles.properties</module-option>
 <module-option name="usersProperties">props/certlogin-users.properties</module-option>
 <module-option name="rolesProperties">props/certlogin-roles.properties</module-option>
 </login-module>
 </authentication>
 </application-policy>


              In the xxx-roles.properties you can add the users with their security-roles.

              Note that the verifier used accepts all certificates, so you need to write your own to if you want to filter certain certificates.

              All this is also explained on https://forge.jboss.com/community/wiki/BaseCertLoginModule

              Regards,

              Hans

                • Actions