0 Replies Latest reply on Dec 12, 2019 3:58 PM by john covey

    Unauthenticated Access Using CLIENT-CERT EAP 7.0 -> 7.2 elytron

    john covey Newbie

      I am trying to migrate an application from EAP 7.0 to EAP 7.2.  We have a landing page that displays our consent banner that we want to allow any unauthenticated user to be able to access. After agreeing to the terms, then the user will have to use a certificate to login.

       

      In the standalone-full.xml, we use a security-realm, like this:

       

                  <security-realm name="CertificateRealm">

                      <server-identities>

                          <ssl>

                              <keystore path="PATH_TO_KEYSTORE" keystore-password="PWORD" alias="SOMEALIAS"/>

                          </ssl>

                      </server-identities>

                      <authentication>

                          <truststore path="PATH_TO_TRUSTSTORE" keystore-password="PWORD"/>

                      </authentication>

                  </security-realm>

       

      Along with a security-domain:

                      <security-domain name="client-cert-policy" cache-type="default">

                          <authentication>

                              <login-module code="Certificate" flag="required">

                                  <module-option name="securityDomain" value="client-cert-policy"/>

                                  <module-option name="password-stacking" value="useFirstPass"/>

                                  <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>

                              </login-module>

                              <login-module code="Identity" flag="required">

                                  <module-option name="password-stacking" value="useFirstPass"/>

                                  <module-option name="roles" value="sys_view"/>

                              </login-module>

                          </authentication>

                          <jsse keystore-password="PWORD" keystore-url="PATH_TO_KEYSTORE" truststore-password="PWORD" truststore-url="PATH_TO_TRUSTSTORE" client-auth="true"/>

                      </security-domain>

       

      Then in the jboss-web.xml:

      <?xml version="1.0" encoding="UTF-8"?>

      <jboss-web>

      <security-domain>client-cert-policy</security-domain>

      </jboss-web>

       

      And finally, we have 2 security-constraint sections in the web.xml - 1 for the unauthenticated page and 1 for the rest of the application

       

      How can we get this same config setup using the elytron security subsystem?