3 Replies Latest reply on Oct 13, 2009 4:39 AM by Hans Wolffenbuttel

    Intergrating Security Into JBossESB By Using CLIENT-CERT aut

    Hans Wolffenbuttel Expert

      The goal is to authorise usage of a webservice by validating the CN value of the Certificate as a user.

      I have established an SSL connection using a http-provider:

      <http-provider host="localhost" name="HTTPS" port="8765">
       <property name="scheme" value="https"/>
       <property name="secure" value="true"/>
       <property name="SSLEnabled" value="true"/>
       <property name="Keystore" value="key/esb.keystore"/>
       <property name="truststoreFile" value="key/esb.keystore"/>
       <property name="truststorePass" value="xxxxxxxxx"/>
       <property name="Keypass" value="xxxxxxxxx"/>
       <property name="clientAuth" value="false"/>
       <property name="keyAlias" value="xxxxxxxxxxxxxx"/>
       <property name="maxThreads" value="20"/>
       <property name="maxSpareThreads" value="5"/>
       <property name="minSpareThreads" value="2"/>
      
       <http-bus busid="Http-xxxxxxx" context="/xxx/httpsgateway/xxxxx">
       <property name="authMethod" value="CLIENT-CERT"/>
       <property name="securityDomain" value="java:/jaas/CertLogin"/>
       <property name="securityRole" value="worker"/>
       </http-bus>
      
      </http-provider>
      


      I have defined a policy in login-config.xml:

       <application-policy name = "CertLogin">
       <authentication>
       <login-module code = "org.jboss.soa.esb.services.security.auth.login.CertificateLoginModule"
       flag = "required" >
       <module-option name = "keyStoreURL">key/esb.keystore</module-option>
       <module-option name = "keyStorePassword">xxxxxxxxx</module-option>
       <module-option name = "rolesPropertiesFile">props/certlogin-roles.properties</module-option>
       </login-module>
       </authentication>
       </application-policy>
      


      But i don't know how to get the domainName CertLogin registered. I have read that for this to work i need a web.xml and a jboss-web.xml, but i don't have a war deployment because i'm not using any selfdefined webservices, so i don't know where to put them.

      Is there another way to register the domainName CertLogin without any web.xml or jboss-web.xml? Or am i forgetting something?


        • 1. Re: Intergrating Security Into JBossESB By Using CLIENT-CERT
          Hans Wolffenbuttel Expert

          Just found the following website:
          http://www.jboss.org/community/wiki/BaseCertLoginModule

          It seems i need to use jmx-console domain to enable Certification authentication. Haven't implemented it yet....

          • 2. Re: Intergrating Security Into JBossESB By Using CLIENT-CERT
            Hans Wolffenbuttel Expert

            Found a way to delare my securityDomain:

            added the following code to server/{deployment}/conf/jboss-service.xml

             <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
             name="jboss.security:service=SecurityDomain">
             <constructor>
             <arg type="java.lang.String" value="CertLogin"></arg>
             </constructor>
             <attribute name="KeyStoreURL">resource:key/esb.keystore</attribute>
             <attribute name="KeyStorePass">xxxxxx</attribute>
             <depends>jboss.security:service=JaasSecurityManager</depends>
             </mbean>
            


            But there is always a next problem: There is a ClassCastException in the CertificateLoginModule. Already placed a topic on the ESB-Developers Forum.


            • 3. Re: Intergrating Security Into JBossESB By Using CLIENT-CERT
              Hans Wolffenbuttel Expert

              There is a way to work around the problem, but only if you settle for authentication/autorisation just on the http-portals to your ESB. The HTTP-provider can be configured on the http-bus like I already showed in my first added code example:

               <http-bus busid="Http-xxxxxxx" context="/xxx/httpsgateway/xxxxx">
               <property name="authMethod" value="CLIENT-CERT"/>
               <property name="securityDomain" value="java:/jaas/CertLogin"/>
               <property name="securityRole" value="worker"/>
               </http-bus>
              


              You can use a different role for each http-bus to ad authorisation to that service. For this to work you need to add an application-policy with two modules:
               <application-policy name = "CertLogin">
               <authentication>
               <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule"
               flag = "required">
               <module-option name="password-stacking">useFirstPass</module-option>
               <module-option name="securityDomain">java:/jaas/CertLogin</module-option>
               <module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option>
               </login-module>
               <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
               flag = "required">
               <module-option name="password-stacking">useFirstPass</module-option>
               <module-option name="defaultUsersProperties">props/certlogin-users.properties</module-option>
               <module-option name="defaultRolesProperties">props/certlogin-roles.properties</module-option>
               <module-option name="usersProperties">props/certlogin-users.properties</module-option>
               <module-option name="rolesProperties">props/certlogin-roles.properties</module-option>
               </login-module>
               </authentication>
               </application-policy>
              


              In the xxx-roles.properties you can add the users with their security-roles.

              Note that the verifier used accepts all certificates, so you need to write your own to if you want to filter certain certificates.

              All this is also explained on https://forge.jboss.com/community/wiki/BaseCertLoginModule

              Regards,

              Hans