1 Reply Latest reply on Jan 6, 2010 9:28 AM by sguilhen

Option for Client Authentication at JBoss Security Domain Level

ovidiu.feodorov Dec 29, 2009 10:18 PM

Option for Client Authentication at JBoss Security Domain Level

Some operational environments require that all SSL connections into a JBoss instance must be mutually authenticated, and that should be a configuration option. While the Tomcat SSL connector exposes this option, this is not the case for JBoss security domains, at least as per 4.3.0.GA_CP04. The code change described below adds the possibility of configuring client authentication at JBoss security domain configuration level.

Suggested changes

The possibility of specifying the option for client authentication should be exposed at org.jboss.security.plugins.JaasSecurityDomain/org.jboss.security.plugins.JaasSecurityDomainMBean level:

boolean isClientAuth(); setClientAuth(boolean b);

By exposing this API, a JaasSecurityDomain can be configured to require client authentication.

The class that uses this information to effectively configure secure sockets to require mutual authentication is org.jboss.security.ssl.DomainServerSocketFactory. DomainServerSocketFactory must be modified to read the option from the associated security domain and enforce it on the sockets it creates. A DomainServerSocketFactory receives a SecurityDomain instance, so org.jboss.security.SecurityDomain must expose the option via its API. A patch has been written, tested and available to be attached to the JIRA issue as soon as it is created. Note that this change adds functionality and does not change or removes existing functionality, so most likely will not interfere with any existing code; full test suite run is required.

Affected classes

org.jboss.security.plugins.JaasSecurityDomain
org.jboss.security.plugins.JaasSecurityDomainMBean
org.jboss.security.SecurityDomain
org.jboss.security.propertyeditor.SecurityDomainEditor
org.jboss.security.ssl.DomainServerSocketFactory

1. Re: Option for Client Authentication at JBoss Security Domain Level

sguilhen Jan 6, 2010 9:28 AM (in response to ovidiu.feodorov)
I don't see how this is different from setting the needsClientAuth property directly in the DomainServerSocketFactory:

<mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker" name="jboss:service=invoker,type=jrmp,socketType=SSLSocketFactory,wantsClientAuth=true"> <attribute name="RMIObjectPort">0</attribute> <attribute name="RMIClientSocketFactory">org.jboss.security.ssl.RMISSLClientSocketFactory </attribute> <attribute name="RMIServerSocketFactoryBean" attributeClass="org.jboss.security.ssl.RMISSLServerSocketFactory" serialDataType="javaBean"> <property name="bindAddress">${jboss.bind.address}</property> <property name="securityDomain">java:/jaas/rmi-ssl</property> <property name="needsClientAuth">true</property> <property name="CiperSuites">TLS_DHE_DSS_WITH_AES_128_CBC_SHA</property> <property name="Protocols">SSLv2Hello,SSLv3,TLSv1</property> </attribute> </mbean>

The needsClientAuth property is used when creating the SSLServerSocket to indicate that client authentication is required. If the client doesn't provide credentials, the SSL negotiation will fail.
There is also the wantsClientAuth property that can be used to indicate that client authentication will be requested during the negotiation phase. In this case, however, if the client doesn't provide the credentials, the SSL negotiation will continue.

Note: in the JRMPInvoker sample above we are using the RMISSLServerSocketFactory. It implements the RMIServerSocketFactory interface and delegates all methods to the DomainServerSocketFactory. So setting the needsClientAuth property there will end up setting the same property in DomainServerSocketFactory.
Actions