2 Replies Latest reply on Sep 8, 2006 4:11 AM by Piotr Chojniak

    EJB client and its authentication by the client certificate?

    Guofeng Zhang Novice

      I have read chap8 Security on JBoss in JBoss Admin Development Guide.

      About 8.7 Using SSL with JBoss using JSSE, I want to know how could I do if I require the client authentication in SSL, that is, like what we did by calling SSLSocket.setNeedClientAuth()).

      About JAAS and the EJB client authentication, if I want the client to be authenticated by its certificate (for example, using BaseCertLoginModule), how should I do in the EJB client? I mean what client login module should I use? should I have to develop a client login module myself(how?)?

      Is there any sample or document that described the client certifcate authenticate about the EJB client?

      Thanks.

        • 1. Re: EJB client and its authentication by the client certific
          Scott Stark Master

          Support for this was just recently added to the pooled invoker. See
          testsuite/src/resources/pooled/jboss-service.xml for an example:

          <?xml version="1.0" encoding="UTF-8"?>
          
          <server>
          
           <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
           name="jboss.security:service=JaasSecurityDomain,domain=pooled-ssl">
           <constructor>
           <arg type="java.lang.String" value="pooled-ssl"/>
           </constructor>
           <attribute name="KeyStoreURL">resource:localhost.keystore</attribute>
           <attribute name="KeyStorePass">unit-tests-server</attribute>
           <attribute name="TrustStoreURL">resource:localhost.keystore</attribute>
           <attribute name="TrustStorePass">unit-tests-server</attribute>
           <attribute name="Salt">abcdefgh</attribute>
           <attribute name="IterationCount">13</attribute>
           </mbean>
          
           <mbean code="org.jboss.invocation.pooled.server.PooledInvoker"
           name="jboss:service=invoker,type=pooled,socketType=SSLSocketFactory,wantsClientAuth=true">
           <attribute name="NumAcceptThreads">1</attribute>
           <attribute name="MaxPoolSize">300</attribute>
           <attribute name="ClientMaxPoolSize">300</attribute>
           <attribute name="SocketTimeout">60000</attribute>
           <attribute name="ServerBindAddress">${jboss.bind.address}</attribute>
           <attribute name="ServerBindPort">0</attribute>
           <attribute name="ClientConnectAddress">${jboss.bind.address}</attribute>
           <attribute name="ClientConnectPort">0</attribute>
           <attribute name="ClientRetryCount">1</attribute>
           <attribute name="EnableTcpNoDelay">false</attribute>
          
           <!-- Customized socket factory attributes -->
           <attribute name="ClientSocketFactoryName">org.jboss.security.ssl.ClientSocketFactory</attribute>
           <attribute name="ServerSocketFactory"
           attributeClass="org.jboss.security.ssl.DomainServerSocketFactory"
           serialDataType="javaBean">
           <property name="bindAddress">${jboss.bind.address}</property>
           <property name="securityDomain">java:/jaas/pooled-ssl</property>
           <property name="wantsClientAuth">true</property>
           <property name="needsClientAuth">true</property>
           <property name="CiperSuites">TLS_DHE_DSS_WITH_AES_128_CBC_SHA</property>
           <property name="Protocols">SSLv2Hello,SSLv3,TLSv1</property>
           </attribute>
           </mbean>
          
           <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
           name="jboss.security.tests:service=LoginConfig,policy=pooled-ssl">
           <attribute name="PolicyConfig" serialDataType="jbxb">
           <jaas:policy
           xsi:schemaLocation="urn:jboss:security-config:4.1 resource:security-config_4_1.xsd"
           xmlns:jaas="urn:jboss:security-config:4.1"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           >
           <jaas:application-policy name="pooled-ssl">
           <jaas:authentication>
           <jaas:login-module code="org.jboss.security.auth.spi.BaseCertLoginModule"
           flag = "required">
           <jaas:module-option name="password-stacking">useFirstPass</jaas:module-option>
           <jaas:module-option name="securityDomain">java:/jaas/pooled-ssl</jaas:module-option>
           </jaas:login-module>
           <jaas:login-module code="org.jboss.security.auth.spi.XMLLoginModule"
           flag="required">
           <jaas:module-option name="password-stacking">useFirstPass</jaas:module-option>
           <jaas:module-option name="userInfo">
           <ur:users
           xsi:schemaLocation="urn:jboss:user-roles:1.0 resource:user-roles_1_0.xsd"
           xmlns:ur="urn:jboss:user-roles:1.0">
           <ur:user name="CN=unit-tests-client, OU=JBoss Inc., O=JBoss Inc., ST=Washington, C=US" password="">
           <ur:role name="Echo"/>
           </ur:user>
           </ur:users>
           </jaas:module-option>
           <jaas:module-option name="unauthenticatedIdentity">guest</jaas:module-option>
           </jaas:login-module>
           </jaas:authentication>
           </jaas:application-policy>
           </jaas:policy>
           </attribute>
           <depends optional-attribute-name="LoginConfigService">
           jboss.security:service=XMLLoginConfig
           </depends>
           <depends optional-attribute-name="SecurityManagerService">
           jboss.security:service=JaasSecurityManager
           </depends>
           </mbean>
          
          </server>
          
          



          • 2. Re: EJB client and its authentication by the client certific
            Piotr Chojniak Newbie

            Hi

            I'm not sure that this answer coresponds to posted questions!

            I have the same problem I want to use "ssl Client" credential and principal to use them in my own AuthorizationLoginModule. As I understand ssl, it authenticates client so we do not need to authenticate client in BaseCertLoginModule again, why not take the credential and principal from ssl and put them into sharedState.

            Do I have to use LoginContext when I use SSL?!