0 Replies Latest reply on Jun 17, 2011 4:19 PM by demetrio carvalho

    How to prevent a user to download the keystore?

    demetrio carvalho Newbie

      I am using JBoss 6 and JBossWS, but the client wil be in C#. I created a simpled web service and I want to allow only https.

      I did these steps:


      1)keytool.exe -genkey -alias Tomcat -keyalg RSA -storepass bigsecret -keypass bigsecret -dname "cn=localhost"


      2)Update the server.xml with this block:

        <Connector protocol="HTTP/1.1" SSLEnabled="true"

                 port="8443" address="${jboss.bind.address}"

                 maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"


                 scheme="https" secure="true" clientAuth="false"


                 sslProtocol = "TLS" keystorePass="bigsecret"/>


      3)I exported the self-signed public key from HOME/.keystore execute the following:
      D:\>keytool.exe -export -rfc -alias Tomcat -file Tomcat.cer -storepass bigsecret -keypass bigsecret


      4)I created the custom keystore for the client by importing Tomcat.cer:
      D:>keytool.exe -import -noprompt -trustcacerts -alias Tomcat -file Tomcat.cer -keystore CustomKeystore -storepass littlesecret


      5)I update web.xml with this block:











      Now it's working perfectlly when I try to test. It's not alowed to acces by http, only by https.

      The only problem is that every person who tried to access the https://mycomputer:8443/myproject/mywsd?wsdl is allowed.

      My intention is that only who I send the keystore or the .cer inside the keystore could be access the webservice and the to see the wsdl file.

      What I should do? Is that a configuration in JBoss6 to prevent the wsdl file to be downloaded?