Does CLIENT-CERT Authentication (Application-level) require SSL mutual Authentication (Server-level)?
gspadotto Jan 23, 2016 9:40 AMHi,
first of all sorry if my question is naive or if my terminology is not correct,
I am a newbie in this topic.
My (main) goal is to have CLIENT-CERT authentication for specific
resources within specific web apps (war) served over https.
Optionally, I would also like to have a "fallback" User Id/Password authentication
in case CLIENT-CERT auth fails.
I am using Wildfly 8.2.0.FINAL.
So I have my war file whose web.xml is like this:
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
<display-name>g2pweb</display-name>
.... [snipped] ...
<security-constraint>
<web-resource-collection>
<web-resource-name>G2P Protected</web-resource-name>
<url-pattern>/index.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Role1</role-name>
<role-name>Role2</role-name>
</auth-constraint>
<!-- <user-data-constraint> -->
<!-- <transport-guarantee>CONFIDENTIAL</transport-guarantee> -->
<!-- </user-data-constraint> -->
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>G2P Unprotected</web-resource-name>
<url-pattern>/login/*</url-pattern>
<url-pattern>/css/*</url-pattern>
<url-pattern>/fonts/*</url-pattern>
<url-pattern>/img/*</url-pattern>
<url-pattern>/cmdApplet.jnlp</url-pattern>
<url-pattern>/cmdApplet.jar</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>g2pRealm</realm-name>
</login-config>
<security-role>
<role-name>Role1</role-name>
</security-role>
<security-role>
<role-name>Role2</role-name>
</security-role>
</web-app>
jboss-web.xml is like this
<jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-web_8_0.xsd"
version="8.0">
<context-root>g2pweb</context-root>
<security-domain>g2pRealm</security-domain>
</jboss-web>
Standalone.xml (edited)
...
<management>
<security-realms>
...
<security-realm name="SSLRealm">
<server-identities>
<ssl>
<keystore path="localhost.key_store.jks" relative-to="jboss.server.config.dir" keystore-password="***" alias="localhost" key-password="***"/>
</ssl>
</server-identities>
<!-- Enabling this will turn on Mutual Auth for SSL SERVER-WIDE causing issues when retrieving resources that should not be protected at the application level
<authentication>
<truststore path="localhost.trust_store.jks" relative-to="jboss.server.config.dir" keystore-password="****"/>
</authentication>
-->
</security-realm>
</security-realms>
...
</management>
<subsystem xmlns="urn:jboss:domain:security:1.2">
...
<security-domains>
<security-domain name="g2pRealm">
<authentication>
<!-- Login Module "Chain": try with certificate first, then fallback to UserId/password -->
<login-module code="DatabaseCertificate" flag="sufficient">
<module-option name="securityDomain" value="store"/>
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="principalClass" value="it.***.g2p.g2pweb.utils.G2Principal"/>
<module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>
<module-option name="rolesQuery" value="SELECT tra.DESCRIZIONE, 'Roles' FROM <SNIPPED> WHERE au.USERID = ?"/>
<module-option name="dsJndiName" value="java:jboss/datasources/mydb"/>
</login-module>
<login-module code="Database" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="dsJndiName" value="java:jboss/datasources/mydb"/>
<module-option name="principalsQuery" value="select <SNIPPED> where userid = ?"/>
<module-option name="rolesQuery" value="SELECT tra.DESCRIZIONE, 'Roles' FROM <SNIPPED> WHERE au.USERID = ?"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="store">
<jsse truststore-password="***" truststore-url="file://${jboss.server.config.dir}/localhost.trust_store.jks"/>
</security-domain>
</security-domains>
</subsystem>
...
<subsystem xmlns="urn:jboss:domain:undertow:1.2">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http"/>
<https-listener name="https" socket-binding="https" security-realm="SSLRealm"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/8"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
So far I was only able to get client certs from the browser
only by enabling SSL Mutual Auth (authentication element
within security-realm with name SSLRealm).
This is a "server-wide" setting that requests the cert for
any resource of any web app, causing issues when requesting
resources that should not require authentication (aka CSS,
images, and - shame on me - an applet).
Also, I was not able to test the JAAS login modules chain
because - with SSL Mutual Auth on - either you provide
a valid cert (i.e. a cert that is trusted by the server) or
you don't even reach the application-level authentication.
What am i doing wrong? Am I missing something?
Any help would be greatly appreciated.
Thank you,
Guido