1 Reply Latest reply on Jun 16, 2014 7:15 AM by Maycon Oliveira

    Programmatic CLIENT-CERT authentication and authorization?

    Maycon Oliveira Newbie

      Hi everybody, lately im having a lot of questions :-) I spect that helps someone .


      Anybody could explain to me why i need to create all the following steps to just get the client certificate (mutual authentication) ?


      1 - First create the https listener.


      <https-listener name="yyy" socket-binding="https" security-realm=xxx-security-realm" />


      2 - define the realm with the trustable certificates and the server certificate


      <security-realm name="xxx-security-realm">
                              <keystore path="server.jks" relative-to="jboss.server.config.dir" keystore-password="123456" alias="server" key-password="123456"/>
                          <truststore path="truststore.jks" relative-to="jboss.server.config.dir" keystore-password="123456"/>


      3 - Now the problem begin. I only want that the browser send me the certificate and then get "javax.servlet.request.X509Certificate" attribute. If i change the verify-client attribute to REQUIRED it works but i just want to ask the certificated when needed. Well... I couldn't find a way to get without using security-contraints:




      4 - I also need a login-module (in my case, my login module always return the expected role "my-auth-role")


      <security-domain name="my-auth" cache-type="default">
                              <login-module code="com.xpto.custom.CustomLoginModule" flag="required"/>


      5 - And more!  jboss-web.xml





      Why the steps 3 ,4 and 5 are required? Is there a way to avoid? I want to validate the selected certificate by myself on a JSF page doing some SQL queries based on some certificate atributes.



      Thanks for any explanation!!!