I have a system with authentication via login and password and would like to provide a url for the user could authenticate using a digital certificate.
The initial idea is to request the user certificate when accessing the url /cert-login. That address a servlet would take the attributes of the certificate and validate in a database table identifying the user and performing the login process.
For this I set up my standalone.xml like this:
... <security-realm name="SSLRealm"> <server-identities> <ssl protocol="TLS"> <keystore path="certs/localhost.jks" relative-to="jboss.server.config.dir" keystore-password="123456" alias="localhost"/> </ssl> </server-identities> <authentication> <truststore path="certs/ca.jks" relative-to="jboss.server.config.dir" keystore-password="123456"/> </authentication> </security-realm> ... <server name="default-server"> <http-listener name="default" socket-binding="http"/> <https-listener name="default-https" socket-binding="https" security-realm="SSLRealm" verify-client="NOT_REQUESTED"/> <host name="default-host" alias="localhost"> <location name="/" handler="welcome-content"/> <filter-ref name="server-header"/> <filter-ref name="x-powered-by-header"/> </host> </server> ... ......
and my web.xml like this:
... <security-constraint> <web-resource-collection> <url-pattern>/cert-login</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> ...
Note that the verify-client attribute is set to NOT_REQUESTED which, according to the documentation:
HTTPS undertow listener has 3 options for verify-client parameter: NOT_REQUESTED (Default), REQUESTED, REQUIRED. If it is set to NOT_REQUESTED (the default), it should not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication.
If I change this attribute to REQUESTED the certificate is requested at any url accessed, however I would like that this behavior was restricted to the url /cert-login.
But when I access /cert-login in my application the certificate is not required and is returned the HTTP 403 status.
What am I doing wrong?
Thank you for your help.