This content has been marked as final.
Show 3 replies
-
1. Re: Intergrating Security Into JBossESB By Using CLIENT-CERT
h.wolffenbuttel Oct 7, 2009 5:14 AM (in response to h.wolffenbuttel)Just found the following website:
http://www.jboss.org/community/wiki/BaseCertLoginModule
It seems i need to use jmx-console domain to enable Certification authentication. Haven't implemented it yet.... -
2. Re: Intergrating Security Into JBossESB By Using CLIENT-CERT
h.wolffenbuttel Oct 7, 2009 7:26 AM (in response to h.wolffenbuttel)Found a way to delare my securityDomain:
added the following code to server/{deployment}/conf/jboss-service.xml<mbean code="org.jboss.security.plugins.JaasSecurityDomain" name="jboss.security:service=SecurityDomain"> <constructor> <arg type="java.lang.String" value="CertLogin"></arg> </constructor> <attribute name="KeyStoreURL">resource:key/esb.keystore</attribute> <attribute name="KeyStorePass">xxxxxx</attribute> <depends>jboss.security:service=JaasSecurityManager</depends> </mbean>
But there is always a next problem: There is a ClassCastException in the CertificateLoginModule. Already placed a topic on the ESB-Developers Forum. -
3. Re: Intergrating Security Into JBossESB By Using CLIENT-CERT
h.wolffenbuttel Oct 13, 2009 4:39 AM (in response to h.wolffenbuttel)There is a way to work around the problem, but only if you settle for authentication/autorisation just on the http-portals to your ESB. The HTTP-provider can be configured on the http-bus like I already showed in my first added code example:
<http-bus busid="Http-xxxxxxx" context="/xxx/httpsgateway/xxxxx"> <property name="authMethod" value="CLIENT-CERT"/> <property name="securityDomain" value="java:/jaas/CertLogin"/> <property name="securityRole" value="worker"/> </http-bus>
You can use a different role for each http-bus to ad authorisation to that service. For this to work you need to add an application-policy with two modules:<application-policy name = "CertLogin"> <authentication> <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag = "required"> <module-option name="password-stacking">useFirstPass</module-option> <module-option name="securityDomain">java:/jaas/CertLogin</module-option> <module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option> </login-module> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name="password-stacking">useFirstPass</module-option> <module-option name="defaultUsersProperties">props/certlogin-users.properties</module-option> <module-option name="defaultRolesProperties">props/certlogin-roles.properties</module-option> <module-option name="usersProperties">props/certlogin-users.properties</module-option> <module-option name="rolesProperties">props/certlogin-roles.properties</module-option> </login-module> </authentication> </application-policy>
In the xxx-roles.properties you can add the users with their security-roles.
Note that the verifier used accepts all certificates, so you need to write your own to if you want to filter certain certificates.
All this is also explained on https://forge.jboss.com/community/wiki/BaseCertLoginModule
Regards,
Hans