Accessing Client Certificates in JBoss Servlet with proxy HTTP Server
julieh Dec 5, 2011 1:38 AM Hi. I am having some issues accessing Client Certificates from within my JBoss Servlet. I am not really sure if I have my Jboss configuration correct for getting access to the Client Certificates when using a proxy HTTP server. Firstly I am using Jboss 6.1.0.Final. I have an IBM HTTP Server setup which directs calls to particular URLs through to my Jboss server. I have 2 web applications installed. One web application handles the URLS which require Basic Authentication. The other web application handles those URLs where the client provides a CLient Certificate. The Basic Authentication app is working well. However I cannot get the Client Certificate web application working, in that I cannot get access to the Client Certificate in the request. I am pretty confident that I have the HTTP server set up correctly. (The project I am working on is to migrate an application from Websphere application server to Jboss. I have exactly the same setup in the HTTP server for the URLS that are directed to Jboss, as for the URLs that are directed to WAS, and the client certificate is contained in the request when the request gets to the servlet installed in WAS). ps. I have the SSLClientAuth set as optional in HTTP Server config, as I don't want HTTP Server to enforce the existance of the client cert, I want that to be controlled by the application. So that leads me to conclude that I have not set up JBoss correctly. I have the security constraint section of the web.xml set up as follows :
<security-constraint>
<web-resource-collection>
<web-resource-name>Axis Test Protected Area</web-resource-name>
<url-pattern>/inbound/AS2</url-pattern>
<url-pattern>/inbound/ACSN</url-pattern>
<url-pattern>/inbound/wM</url-pattern>
<url-pattern>/inbound/EBXML</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Test</realm-name>
</login-config>
So my understanding is that this means that the resource is secured, and will request a Client Certificate.
Based on this assumption, I don't think that I need anything in the Server.xml which forces a client certificate to be provided (as the HTTP Server will be authenticating the Client Cert IF it is provided)
Therefore I have the following set up for the Connector in the Server.xml
<Connector protocol="HTTP/1.1" SSLEnabled="true" allowTrace="true"
port="${jboss.web.https.port}" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/was7-plugin-key.jks"
keystorePass="axis2002" sslProtocol = "TLS"
/>
So using the above config, I have initially attempted to access the secured URL (inbound/AS2) directly through Jboss (ie taking HTTP Server out of the equation), but without any luck.
Using the above config, and accessing the URL from a Web Browser (in which I have installed a cert), a Client Certificate is requested. I select the cert in the web browser, but it is never passed in the request, and my servlet doesn't initiate. This is part of the message I get in the server.log :
INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] (http-AXBAPPST02%2F1.93.199.91-9081-1) ---------------------------------------------------------------
INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] (http-AXBAPPST02%2F1.93.199.91-9081-1) authType=null
INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] (http-AXBAPPST02%2F1.93.199.91-9081-1) contentLength=-1
INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] (http-AXBAPPST02%2F1.93.199.91-9081-1) contentType=text/html;charset=utf-8
INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] (http-AXBAPPST02%2F1.93.199.91-9081-1) header=X-Powered-By=Servlet/3.0; JBossAS-6
INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] (http-AXBAPPST02%2F1.93.199.91-9081-1) header=Pragma=No-cache
INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] (http-AXBAPPST02%2F1.93.199.91-9081-1) header=Cache-Control=no-cache
INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] (http-AXBAPPST02%2F1.93.199.91-9081-1) header=Expires=Thu, 01 Jan 1970 10:00:00 EST
INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] (http-AXBAPPST02%2F1.93.199.91-9081-1) message=No client certificate chain in this request
INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] (http-AXBAPPST02%2F1.93.199.91-9081-1) remoteUser=null
INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] (http-AXBAPPST02%2F1.93.199.91-9081-1) status=401
INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost]] (http-AXBAPPST02%2F1.93.199.91-9081-1) ===============================================================
I have also tried setting clientAuth to 'want' and adding a truststoreFile and truststorePass (and NOT having a truststoreFile and Pass) to the Connector in Server.xml. This results in being asked for a client cert in the browser, but absolutely no logging in the server.
Any pointers in helping to get this set up would be REALLY appreciated.
Thanks