0 Replies Latest reply on Sep 3, 2015 3:03 PM by Manuel Colchete

    How to request client certificate in a specific uri

    Manuel Colchete Newbie

      Hi all.


      I have a system with authentication via login and password and would like to provide a url for the user could authenticate using a digital certificate.

      The initial idea is to request the user certificate when accessing the url /cert-login. That address a servlet would take the attributes of the certificate and validate in a database table identifying the user and performing the login process.

      For this I set up my standalone.xml like this:

                 <security-realm name="SSLRealm">
                          <ssl protocol="TLS">
                              <keystore path="certs/localhost.jks" relative-to="jboss.server.config.dir" keystore-password="123456" alias="localhost"/>
                          <truststore path="certs/ca.jks" relative-to="jboss.server.config.dir" keystore-password="123456"/>
                   <server name="default-server">
                      <http-listener name="default" socket-binding="http"/>
                      <https-listener name="default-https" socket-binding="https" security-realm="SSLRealm" verify-client="NOT_REQUESTED"/>
                      <host name="default-host" alias="localhost">
                          <location name="/" handler="welcome-content"/>
                          <filter-ref name="server-header"/>
                          <filter-ref name="x-powered-by-header"/>

      and my web.xml like this:


      Note that the verify-client attribute is set to NOT_REQUESTED which, according to the documentation:

      HTTPS undertow listener has 3 options for verify-client parameter: NOT_REQUESTED (Default), REQUESTED, REQUIRED. If it is set to NOT_REQUESTED (the default), it should not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication.

      If I change this attribute to REQUESTED the certificate is requested at any url accessed, however I would like that this behavior was restricted to the url /cert-login.

      But when I access /cert-login in my application the certificate is not required and is returned the HTTP 403 status.

      What am I doing wrong?

      Thank you for your help.