Programmatic CLIENT-CERT authentication and authorization?
fuinhaazul Jun 10, 2014 7:36 PMHi everybody, lately im having a lot of questions :-) I spect that helps someone .
Anybody could explain to me why i need to create all the following steps to just get the client certificate (mutual authentication) ?
1 - First create the https listener.
<https-listener name="yyy" socket-binding="https" security-realm=xxx-security-realm" />
2 - define the realm with the trustable certificates and the server certificate
<security-realm name="xxx-security-realm"> <server-identities> <ssl> <keystore path="server.jks" relative-to="jboss.server.config.dir" keystore-password="123456" alias="server" key-password="123456"/> </ssl> </server-identities> <authentication> <truststore path="truststore.jks" relative-to="jboss.server.config.dir" keystore-password="123456"/> </authentication> </security-realm>
3 - Now the problem begin. I only want that the browser send me the certificate and then get "javax.servlet.request.X509Certificate" attribute. If i change the verify-client attribute to REQUIRED it works but i just want to ask the certificated when needed. Well... I couldn't find a way to get without using security-contraints:
<security-constraint> <web-resource-collection> <web-resource-name>test-app</web-resource-name> <url-pattern>/CertLoginServlet</url-pattern> </web-resource-collection> <auth-constraint> <role-name>my-auth-role</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> <security-role> <role-name>my-auth-role</role-name> </security-role>
4 - I also need a login-module (in my case, my login module always return the expected role "my-auth-role")
<security-domain name="my-auth" cache-type="default"> <authentication> <login-module code="com.xpto.custom.CustomLoginModule" flag="required"/> </authentication> </security-domain>
5 - And more! jboss-web.xml
<jboss-web> <security-domain>my-auth</security-domain> </jboss-web>
Why the steps 3 ,4 and 5 are required? Is there a way to avoid? I want to validate the selected certificate by myself on a JSF page doing some SQL queries based on some certificate atributes.
Thanks for any explanation!!!