0 Replies Latest reply on Sep 3, 2015 3:03 PM by Manuel Colchete

    How to request client certificate in a specific uri

    Manuel Colchete Newbie

      Hi all.

       

      I have a system with authentication via login and password and would like to provide a url for the user could authenticate using a digital certificate.


      The initial idea is to request the user certificate when accessing the url /cert-login. That address a servlet would take the attributes of the certificate and validate in a database table identifying the user and performing the login process.

      For this I set up my standalone.xml like this:

      
      ...
                 <security-realm name="SSLRealm">
                      <server-identities>
                          <ssl protocol="TLS">
                              <keystore path="certs/localhost.jks" relative-to="jboss.server.config.dir" keystore-password="123456" alias="localhost"/>
                          </ssl>
                      </server-identities>
      
                      <authentication>
                          <truststore path="certs/ca.jks" relative-to="jboss.server.config.dir" keystore-password="123456"/>
                      </authentication>
      
                   </security-realm>
      ...
                   <server name="default-server">
                      <http-listener name="default" socket-binding="http"/>
                      <https-listener name="default-https" socket-binding="https" security-realm="SSLRealm" verify-client="NOT_REQUESTED"/>
                      <host name="default-host" alias="localhost">
                          <location name="/" handler="welcome-content"/>
                          <filter-ref name="server-header"/>
                          <filter-ref name="x-powered-by-header"/>
                      </host>
                  </server>
      
      ...
      ......
      
      
      
      
      


      and my web.xml like this:

      
      ...
          <security-constraint>
              <web-resource-collection>
                  <url-pattern>/cert-login</url-pattern>
              </web-resource-collection>
              <auth-constraint>
                  <role-name>*</role-name>
              </auth-constraint>
              <user-data-constraint>
                  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
              </user-data-constraint>
          </security-constraint>
          <login-config>
              <auth-method>CLIENT-CERT</auth-method>
          </login-config>
      ...
      
      
      
      
      
      


      Note that the verify-client attribute is set to NOT_REQUESTED which, according to the documentation:


      HTTPS undertow listener has 3 options for verify-client parameter: NOT_REQUESTED (Default), REQUESTED, REQUIRED. If it is set to NOT_REQUESTED (the default), it should not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication.


      If I change this attribute to REQUESTED the certificate is requested at any url accessed, however I would like that this behavior was restricted to the url /cert-login.


      But when I access /cert-login in my application the certificate is not required and is returned the HTTP 403 status.

      What am I doing wrong?

      Thank you for your help.