1 Reply Latest reply on Aug 12, 2015 6:23 AM by Tomaz Cerar

    Manual prompting of Certificate (Wildfly 9)

    Drew Wharton Newbie

      Hi,

       

      I am attempting to implement login logic that includes the ability to submit a X509Certificate as your credential for login.  The issue I'm running into is that with my current configuration in the standalone.xml I am receiving certificate prompts whenever I enter an https address rather than the desired behavior, which is when a user clicks a button.  Is there anyway for me to configure the server to only allow prompting when I request the certificate(s) in a servlet?

       

      My current configuration contains a security-realm with a keystore and truststore specified, a security-domain with the jsse tag specified for the keystore and truststore, and an https-listener configured to use the security-realm mentioned prior.

       

      Thanks for your time.

        • 1. Re: Manual prompting of Certificate (Wildfly 9)
          Tomaz Cerar Master

          As Darran said certificates are only exchanged on establishing/negotiation of SSL connection.

           

          However you can configure your server and application to force re-negotiation of SSL connection with requesting the certificate.

           

          in undertow subsystem on https-listener set verify-client="REQUESTED" not REQUIRED as you probably have now.

          next thing is to configure your application.

          to your web.xml add something along this lines:

           

          <security-constraint>
            <web-resource-collection>
            <web-resource-name>Everything</web-resource-name>
            <url-pattern>/*</url-pattern>
            </web-resource-collection>
            <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
          </security-constraint>
          <login-config>
            <auth-method>CLIENT-CERT</auth-method>
          </login-config>

           

          where url-pattern should be part of your application path that requires client certificate.

          probably something like /protected/*