0 Replies Latest reply on Jun 19, 2019 9:13 AM by Ralf Battenfeld

    Quickstart jaxrs-jwt: how to use it with TLS/SSL ?

    Ralf Battenfeld Apprentice

      Hi

       

      I am looking for a way to enable one-way ssl in order to secure the communication with the rest client based, when a client requests a new token. In your web app, a user is first authenticated with username/password, and when authenticated, a new token is replied.

       

      We already have tls/ssl enabled for other web applications but we struggle a bit to put both settings together so that the token exchange is secured by tls/ssl (one-way-ssl).

       

      Here are the key stores: one for the jwt token, one for the ssl certificate

                 <tls>
                      <key-stores>
                          <key-store name="ncdrJwtStore">
                              <credential-reference clear-text="MASK-3e5W...."/>
                              <implementation type="JKS"/>
                              <file path="C:/deve...."/>
                          </key-store>
                          <key-store name="ncdrKeyStore">
                              <credential-reference clear-text="MASK-3e5...."/>
                              <implementation type="JKS"/>
                              <file path="C:/dev...."/>
                          </key-store>
                      </key-stores>
                      <key-managers>
                          <key-manager name="ncdrKeyManager" key-store="ncdrKeyStore">
                              <credential-reference clear-text="MASK-3e5...."/>
                          </key-manager>
                      </key-managers>
                      <server-ssl-contexts>
                          <server-ssl-context name="ncdrSSLContext" protocols="TLSv1.2" key-manager="ncdrKeyManager"/>
                      </server-ssl-contexts>
                  </tls>
      
           
                  

       

        Here are the undertow settings:

                 <subsystem xmlns="urn:jboss:domain:undertow:8.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other">
                  <buffer-cache name="default"/>
                  <server name="default-server">
                      <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
                      <https-listener name="https" socket-binding="https" ssl-context="ncdrSSLContext" enable-http2="true"/>
                      <host name="default-host" alias="localhost">
                          <location name="/" handler="welcome-content"/>
                          <http-invoker security-realm="ApplicationRealm"/>
                      </host>
                  </server>
                  <servlet-container name="default">
                      <jsp-config/>
                      <websockets/>
                  </servlet-container>
                  <handlers>
                      <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
                  </handlers>
                  <application-security-domains>
                      <application-security-domain name="other" http-authentication-factory="jwt-http-authentication"/>
                  </application-security-domains>
              </
              

       

      Here is the web.xml, with transport-guarantee CONFIDENTIAL:

      <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xmlns="http://xmlns.jcp.org/xml/ns/javaee"
      xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
      version="3.1">
      
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>HtmlAdaptor</web-resource-name>
      <description>Restrict access to specified roles.</description>
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method-omission>OPTIONS</http-method-omission>
      </web-resource-collection>
      <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
      <auth-constraint>
      <role-name>*</role-name>
      </auth-constraint>
      </security-constraint>
      
      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>.... Application</realm-name>
      </login-config>
      
      <security-role>
      <role-name>*</role-name>
      </security-role>
      
      
      </web-app>
      
      
      
      
      

       

      Does it maybe just need a second application-security-domain?

       

      Regards,

      Ralf