1 Reply Latest reply on Mar 10, 2010 11:07 AM by Dejan Mratinkovic

    SSL difference authentication scenarios

    Nicole Schweighardt Novice

      Hi,


      I am relatively new to the issue security. I have got an webapplication that runs in JBoss 5.0.1GA with a JSF-Layer (RichFaces) that communicates with EJB-SessionBeans. To store my data I have got a MySQl-Database. The users from my application have to register and have to login on a form. For authentication I use Servlet-Authentication (FORM) in combination with the jboss security module "DatabaseServerLoginModule". It works but I know that this is not very secure because the passwords are thrown via plaintext. That is the reason why I want to use SSL.

      I read the tutorial SSLSetup and I configured the webdeployer of JBoss. That works. But I do not really understand the difference between the following authentication scenarios wich are described in the tutorial:

       

      • 1 - SSL enabled on the server - the common case

      • 2 - SSL enabled on the server with self-signed client certs - aka mutual authentication - standalone HTTP client

      • 3 - SSL enabled on the server with self-signed client certs - aka mutual authentication - Web Browser Client

      • 4 - SSL enabled on the server with an openssl CA issued client cert - aka mutual authentication with CA issued client cert

       

      When do I need clientAuth="true" and what does it mean if I use clientAuth="false"?

      If I have only configured the webdeployer in JBoss is my authentication secure? And is the communication between JSF and EJB secure?

      I hope the questions are not too dumb,,,,:-)

       

      Thanks a lot!

      Nicki

        • 1. Re: SSL difference authentication scenarios
          Dejan Mratinkovic Newbie

          When do I need clientAuth="true" and what does it mean if I use clientAuth="false"?

          If I have only configured the webdeployer in JBoss is my authentication secure? And is the communication between JSF and EJB secure?

          I hope the questions are not too dumb,,,,:-)

           

          You can set up SSL so client can acces your server via https and be sure you are who you represent as.

           

          But, if you set

          clientAuth="true"

          client is also requred to have certificate, and you have to thrust this certificate (to have certificate issuer in your trist store)

           

          With

          clientAuth="false"

          Anyone can access your server (open pages, use web services, etc.)