0 Replies Latest reply on Jan 23, 2016 9:40 AM by Guido Spadotto

    Does CLIENT-CERT Authentication (Application-level) require SSL mutual Authentication (Server-level)?

    Guido Spadotto Newbie

      Hi,

      first of all sorry if my question is naive or if my terminology is not correct,

      I am a newbie in this topic.

       

      My (main) goal is to have CLIENT-CERT authentication for specific

      resources within specific web apps (war) served over https.

       

      Optionally, I would also like to have a "fallback" User Id/Password authentication

      in case CLIENT-CERT auth fails.

       

      I am using Wildfly 8.2.0.FINAL.

       

      So I have my war file whose web.xml is like this:

       

      <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">

          <display-name>g2pweb</display-name>

           .... [snipped] ...

          <security-constraint>

              <web-resource-collection>

                  <web-resource-name>G2P Protected</web-resource-name>

                  <url-pattern>/index.html</url-pattern>

              </web-resource-collection>

              <auth-constraint>

                  <role-name>Role1</role-name>

                  <role-name>Role2</role-name>

              </auth-constraint>

      <!--         <user-data-constraint> -->

      <!--             <transport-guarantee>CONFIDENTIAL</transport-guarantee> -->

      <!--         </user-data-constraint> -->

          </security-constraint>

          <security-constraint>

              <web-resource-collection>

                  <web-resource-name>G2P Unprotected</web-resource-name>

                  <url-pattern>/login/*</url-pattern>

                  <url-pattern>/css/*</url-pattern>

                  <url-pattern>/fonts/*</url-pattern>

                  <url-pattern>/img/*</url-pattern>

                  <url-pattern>/cmdApplet.jnlp</url-pattern>

                  <url-pattern>/cmdApplet.jar</url-pattern>

              </web-resource-collection>

          </security-constraint>

          <login-config>

               <auth-method>CLIENT-CERT</auth-method>

              <realm-name>g2pRealm</realm-name>

          </login-config>

          <security-role>

              <role-name>Role1</role-name>

          </security-role>

          <security-role>

              <role-name>Role2</role-name>

          </security-role>

      </web-app>

       

      jboss-web.xml is like this

       

      <jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"

                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                 xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-web_8_0.xsd"

                 version="8.0">

          <context-root>g2pweb</context-root>

          <security-domain>g2pRealm</security-domain>

      </jboss-web>

       

       

      Standalone.xml (edited)

       

      ...

      <management>

              <security-realms>

                  ...

                  <security-realm name="SSLRealm">

                      <server-identities>

                          <ssl>

                              <keystore path="localhost.key_store.jks" relative-to="jboss.server.config.dir" keystore-password="***" alias="localhost" key-password="***"/>

                          </ssl>

                      </server-identities>

                      <!-- Enabling this will turn on Mutual Auth for SSL SERVER-WIDE causing issues when retrieving resources that should not be protected at the application level

                      <authentication>

                          <truststore path="localhost.trust_store.jks" relative-to="jboss.server.config.dir" keystore-password="****"/>

                      </authentication>

                      -->

                  </security-realm>

              </security-realms>

             ...

      </management>

      <subsystem xmlns="urn:jboss:domain:security:1.2">

                  ...

                  <security-domains>

                      <security-domain name="g2pRealm">

                          <authentication>

                              <!-- Login Module "Chain": try with certificate first, then fallback to UserId/password   -->

                              <login-module code="DatabaseCertificate" flag="sufficient">

                                  <module-option name="securityDomain" value="store"/>

                                  <module-option name="password-stacking" value="useFirstPass"/>

                                  <module-option name="principalClass" value="it.***.g2p.g2pweb.utils.G2Principal"/>

                                  <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>

                                  <module-option name="rolesQuery" value="SELECT tra.DESCRIZIONE, 'Roles' FROM <SNIPPED> WHERE au.USERID = ?"/>

                                  <module-option name="dsJndiName" value="java:jboss/datasources/mydb"/>

                              </login-module>

                              <login-module code="Database" flag="required">

                                  <module-option name="password-stacking" value="useFirstPass"/>

                                  <module-option name="dsJndiName" value="java:jboss/datasources/mydb"/>

                                  <module-option name="principalsQuery" value="select <SNIPPED> where userid = ?"/>

                                  <module-option name="rolesQuery" value="SELECT tra.DESCRIZIONE, 'Roles' FROM <SNIPPED> WHERE au.USERID = ?"/>

                              </login-module>

                          </authentication>

                      </security-domain>

                      <security-domain name="store">

                          <jsse truststore-password="***" truststore-url="file://${jboss.server.config.dir}/localhost.trust_store.jks"/>

                      </security-domain>

                  </security-domains>

              </subsystem>

              ...

              <subsystem xmlns="urn:jboss:domain:undertow:1.2">

                  <buffer-cache name="default"/>

                  <server name="default-server">

                      <http-listener name="default" socket-binding="http"/>

                      <https-listener name="https" socket-binding="https" security-realm="SSLRealm"/>

                      <host name="default-host" alias="localhost">

                          <location name="/" handler="welcome-content"/>

                          <filter-ref name="server-header"/>

                          <filter-ref name="x-powered-by-header"/>

                      </host>

                  </server>

                  <servlet-container name="default">

                      <jsp-config/>

                      <websockets/>

                  </servlet-container>

                  <handlers>

                      <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>

                  </handlers>

                  <filters>

                      <response-header name="server-header" header-name="Server" header-value="WildFly/8"/>

                      <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>

                  </filters>

              </subsystem>

       

       

      So far I was only able to get client certs from the browser

      only by enabling SSL Mutual Auth (authentication element

      within security-realm with name SSLRealm).

      This is a "server-wide" setting that requests the cert for

      any resource of any web app, causing issues when requesting

      resources that should not require authentication (aka CSS,

      images, and - shame on me - an applet).


      Also, I was not able to test the JAAS login modules chain

      because - with SSL Mutual Auth on - either you provide

      a valid cert (i.e. a cert that is trusted by the server) or

      you don't even reach the application-level authentication.



      What am i doing wrong? Am I missing something?

      Any help would be greatly appreciated.


      Thank you,

        Guido