0 Replies Latest reply on Apr 16, 2009 8:22 AM by Andrei Neacsu

    Problem - if USB Token is removed, web application must not

    Andrei Neacsu Newbie


      I'm using JBoss 4.2.2.GA for a J2EE web application, running on a secured VPN. The application must all be SSL-enabled and the users accesing it must have an USB eToken Pro (with their client certificate on it). The application runs on Internet Explorer 7 (client requirement).

      If the user removes the usb token the web application must not allow any other operation. If I run the application on Firefox 3, remove the token and then try to continue with the application an error message appears:

      Secure Connection Failed
      PKCS#11 token was inserted or removed while operation was in progress.
      (Error code: ssl_error_token_insertion_removal)

      Internet Explorer 7 doesn't have the same behavior if I remove the token.
      On IE7 the application behaves the same even if I remove the token.

      Can someone give me some advice on how to configure this behavior on JBoss (when the user removes the token, the application must not be accessible anymore) ? How can I enforce client certificate authentication not just at login time, but more frequently so if the user removes the token the application must not be accessible anymore ?

      In Apache Http Server there is an option to configure the SSL Session Timeout, but could not find this in JBoss AS (in embedded Tomcat):

      Apache Http Server
      # SessionCache Timeout:
      # This directive sets the timeout in seconds for the information stored
      # in the global/inter-process SSL Session Cache. It can be set as low as
      # 15 for testing, but should be set to higher values like 300 in real life.
      SSLSessionCacheTimeout 30

      The SSL Connector in JBoss is configured as follows:

      <!-- SSL/TLS Connector with encrypted keystore/truststore password configuration -->
       <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
       maxThreads="150" scheme="https" secure="true"
       clientAuth="true" strategy="ms"
       sslProtocol = "TLS"
       SSLImplementation="org.jboss.net.ssl.JBossImplementation" />

      The JaasSecurityDomain MBean is configured like this:
       <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
       <arg type="java.lang.String" value="security-domain"></arg>
       <attribute name="KeyStoreURL">${jboss.server.home.dir}/conf/server.keystore</attribute>
       <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/serverKeystore.password</attribute>
       <attribute name="TrustStoreURL">${jboss.server.home.dir}/conf/user.truststore</attribute>
       <attribute name="TrustStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/userTruststore.password</attribute>
       <attribute name="Salt">jbossserver</attribute>
       <attribute name="IterationCount">13</attribute>

      Any help at all would be highly appreciated.