All geek questions in one place

JBOSS 7 with two contexts. One with SSL Mutual Auth, and the other only SSL

We are having a problem setting up our JBoss. We are trying to configure it so that it can use Mutual auth at the same time and not use it. How:

https://example.com/contextA/ (requires SSL mutual authentication) https://example.com/contextB/ (SSL only)

Is it possible?

What I can do is do it, or all JBoss use SSL authentication or not. How to configure it at the same time?

My contextA web.xml:

<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd" > <web-app> <display-name>ContextA</display-name> <security-constraint> <web-resource-collection> <web-resource-name>services</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> <security-role> <role-name /> </security-role> </web-app>

My jboss-web.xml context

 <?xml version="1.0" encoding="UTF-8"?> <jboss-web> <security-domain>RequireCertificateDomain</security-domain> </jboss-web>

ContextB web.xml

 <?xml version="1.0" encoding="UTF-8"?> <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> <display-name>ContextB</display-name> <jsp-config> <jsp-property-group> <url-pattern>*.jsp</url-pattern> <trim-directive-whitespaces>true</trim-directive-whitespaces> </jsp-property-group> </jsp-config> <session-config> <session-timeout>10</session-timeout> <cookie-config> <http-only>true</http-only> </cookie-config> </session-config> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> <security-constraint> <display-name>SecureApplicationConstraint</display-name> <web-resource-collection> <web-resource-name>ContextB</web-resource-name> <description>Auth applications are secured</description> <url-pattern>/login/*</url-pattern> </web-resource-collection> <auth-constraint> <description>Only Users with roles are allowed</description> <role-name>USER</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <security-constraint> <display-name>SecureChannelConstraint</display-name> <web-resource-collection> <web-resource-name>Entire site is protected through SSL</web-resource-name> <description /> <url-pattern>/contextB/*</url-pattern> </web-resource-collection> <user-data-constraint> <description>Require encrypted channel</description> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>ContextBPolicy</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/loginError.jsp</form-error-page> </form-login-config> </login-config> <security-role> <description/> <role-name>USER</role-name> </security-role> </web-app>

ContextB jboss-web.xml

 <?xml version="1.0" encoding="UTF-8"?> <jboss-web> <security-domain>java:/jaas/ContextBPolicy</security-domain> </jboss-web>

Contents of standalone.xml

 <security-domain name="ContextBPolicy"> <authentication> <login-module code="org.ContextBLoginModule" flag="required"/> </authentication> </security-domain> (...) <security-domain name="RequireCertificateDomain"> <authentication> <login-module code="CertificateRoles" flag="required"> <module-option name="securityDomain" value="RequireCertificateDomain"/> <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/> <module-option name="usersProperties" value="file:c:/tmp/my-users.properties"/> <module-option name="rolesProperties" value="file:c:/tmp/my-roles.properties"/> </login-module> </authentication> <jsse keystore-password="changethis" keystore-url="file:c:/tmp/localhost.jks" truststore-password="changethis" truststore-url="file:c:/tmp/cacerts.jks"/> </security-domain> (...) <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false"> <configuration> <jsp-configuration x-powered-by="false"/> </configuration> <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/> <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true"> <ssl name="ssl" key-alias="localhost" password="changethis" certificate-key-file="../standalone/configuration/localhost.jks" verify-client="require" ca-certificate-file="../standalone/configuration/cacerts.jks" truststore-type="JKS"/> </connector> <virtual-server name="default-host" enable-welcome-root="true"> <alias name="localhost"/> <alias name="example.com"/> </virtual-server> </subsystem>
+4
source share
3 answers

In my opinion, this cannot be done based on the http endpoint.

The reason is that the SSL / TLS connection occurs before the client sends its HTTP request to the server.

The endpoint (e.g. /contextA ) is in this http request!

At the beginning of SSL / TLS, only the host name is available (for example, example.com ) (and only if the client has SNI enabled).

To do this, you will need two different host names. For example contexta.example.com and contextb.example.com

+1
source

Perhaps because you want to configure different authentication types for different WebApplications.

Fix the verify-client value to want :

 <connector name="https" ...> <ssl .. verify-client="want" .../> </connector>

Added

According to JBoss documentation related to verify-client attribute: http://docs.jboss.org/jbossweb/7.0.x/config/ssl.html

Set to "true" if you want the SSL stack to require the client to have the correct certificate chain before accepting the connection. Set "want" if you want the SSL stack to request a client certificate, but it will not work if it is not presented.

It is true that if verify-client="true" JBoss requires a certificate. But if you get access to the certificate when verify-client="want" JBOSS should require a client certificate. If the brother contains a client certificate and the application is protected by client certificate authentication (CLIENT-CERT in web.xml), it must be successful.

+4
source

You can do this by specifying the area requiring the certificate:

 <security-realm name="CertRequiredRealm"> <authentication> <truststore path="mytruststore.jks" password="mytruststorepassword"/> </authentication> </security-realm>

Then put your WebApplication in this area:

in WEB-INF / web.xml:

 <login-config> <auth-method>CLIENT-CERT</auth-method> <realm-name>CertRequiredRealm</realm-name> </login-config>
+1
source

Source: https://habr.com/ru/post/1478903/

More articles:


All Articles