1 Reply Latest reply on Jun 16, 2014 7:15 AM by Maycon Oliveira

    Programmatic CLIENT-CERT authentication and authorization?

    Maycon Oliveira Newbie

      Hi everybody, lately im having a lot of questions :-) I spect that helps someone .

       

      Anybody could explain to me why i need to create all the following steps to just get the client certificate (mutual authentication) ?

       

      1 - First create the https listener.

       

      <https-listener name="yyy" socket-binding="https" security-realm=xxx-security-realm" />
      

       

      2 - define the realm with the trustable certificates and the server certificate

       

      <security-realm name="xxx-security-realm">
                      <server-identities>
                          <ssl>
                              <keystore path="server.jks" relative-to="jboss.server.config.dir" keystore-password="123456" alias="server" key-password="123456"/>
                          </ssl>
                      </server-identities>
                      <authentication>
                          <truststore path="truststore.jks" relative-to="jboss.server.config.dir" keystore-password="123456"/>
                      </authentication>
        </security-realm>
      

       

      3 - Now the problem begin. I only want that the browser send me the certificate and then get "javax.servlet.request.X509Certificate" attribute. If i change the verify-client attribute to REQUIRED it works but i just want to ask the certificated when needed. Well... I couldn't find a way to get without using security-contraints:

       

      <security-constraint>
        <web-resource-collection>
        <web-resource-name>test-app</web-resource-name>
        <url-pattern>/CertLoginServlet</url-pattern>
        </web-resource-collection>
        <auth-constraint>
        <role-name>my-auth-role</role-name>
        </auth-constraint>
        <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
        </security-constraint>
        <login-config>
        <auth-method>CLIENT-CERT</auth-method>
        </login-config>
        <security-role>
        <role-name>my-auth-role</role-name>
        </security-role>
      

       

      4 - I also need a login-module (in my case, my login module always return the expected role "my-auth-role")

       

      <security-domain name="my-auth" cache-type="default">
                          <authentication>
                              <login-module code="com.xpto.custom.CustomLoginModule" flag="required"/>
                          </authentication>
                      </security-domain>
      

       

      5 - And more!  jboss-web.xml

       

        <jboss-web>
        <security-domain>my-auth</security-domain>
      </jboss-web>
      

       

       

      Why the steps 3 ,4 and 5 are required? Is there a way to avoid? I want to validate the selected certificate by myself on a JSF page doing some SQL queries based on some certificate atributes.

       

       

      Thanks for any explanation!!!