0 Replies Latest reply on Jun 17, 2011 4:19 PM by demetrio carvalho

    How to prevent a user to download the keystore?

    demetrio carvalho Newbie

      I am using JBoss 6 and JBossWS, but the client wil be in C#. I created a simpled web service and I want to allow only https.

      I did these steps:

       

      1)keytool.exe -genkey -alias Tomcat -keyalg RSA -storepass bigsecret -keypass bigsecret -dname "cn=localhost"

       

      2)Update the server.xml with this block:

        <Connector protocol="HTTP/1.1" SSLEnabled="true"

                 port="8443" address="${jboss.bind.address}"

                 maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"

                 emptySessionPath="true"

                 scheme="https" secure="true" clientAuth="false"

                 keystoreFile="${jboss.server.home.dir}/conf/.keystore"

                 sslProtocol = "TLS" keystorePass="bigsecret"/>

       

      3)I exported the self-signed public key from HOME/.keystore execute the following:
      D:\>keytool.exe -export -rfc -alias Tomcat -file Tomcat.cer -storepass bigsecret -keypass bigsecret

       

      4)I created the custom keystore for the client by importing Tomcat.cer:
      D:>keytool.exe -import -noprompt -trustcacerts -alias Tomcat -file Tomcat.cer -keystore CustomKeystore -storepass littlesecret

       

      5)I update web.xml with this block:

          <security-constraint>

              <web-resource-collection>

                  <web-resource-name>app-name</web-resource-name>

                  <url-pattern>/*</url-pattern>

              </web-resource-collection>

              <user-data-constraint>

                  <transport-guarantee>CONFIDENTIAL</transport-guarantee>

              </user-data-constraint>

          </security-constraint>

       

      Now it's working perfectlly when I try to test. It's not alowed to acces by http, only by https.

      The only problem is that every person who tried to access the https://mycomputer:8443/myproject/mywsd?wsdl is allowed.

      My intention is that only who I send the keystore or the .cer inside the keystore could be access the webservice and the to see the wsdl file.

      What I should do? Is that a configuration in JBoss6 to prevent the wsdl file to be downloaded?