JBOSS 7 with two contexts. One with SSL Mutual Auth and the other just SSL

StackOverflow https://stackoverflow.com/questions/16350802

Question

We are having a problem to configure our JBoss. We are tring to configure it to make it possible to use at the same time Mutual auth and to don't use it. Like:

https://example.com/contextA/ (Requires SSL Mutual auth) https://example.com/contextB/ (Just SSL)

Is it possible?

What I could do is to make or all the JBoss use SSL mutual auth or don't. How can I configure it to be both at the same time?

My contextA web.xml:

<!DOCTYPE web-app PUBLIC
 "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
 "http://java.sun.com/dtd/web-app_2_3.dtd" >

<web-app>
    <display-name>ContextA</display-name>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>services</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <login-config>
        <auth-method>CLIENT-CERT</auth-method>
    </login-config>

    <security-role>
        <role-name />
    </security-role>
</web-app>

My contextA jboss-web.xml

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
    <security-domain>RequireCertificateDomain</security-domain>
</jboss-web>

ContextB web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">

    <display-name>ContextB</display-name>

    <jsp-config>
        <jsp-property-group>
            <url-pattern>*.jsp</url-pattern>
            <trim-directive-whitespaces>true</trim-directive-whitespaces>
        </jsp-property-group>
    </jsp-config>

    <session-config>
        <session-timeout>10</session-timeout>
        <cookie-config>
            <http-only>true</http-only>
        </cookie-config>
    </session-config>

    <welcome-file-list>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

    <security-constraint>
        <display-name>SecureApplicationConstraint</display-name>
        <web-resource-collection>
            <web-resource-name>ContextB</web-resource-name>
            <description>Auth applications are secured</description>
            <url-pattern>/login/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <description>Only Users with roles are allowed</description>
            <role-name>USER</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <security-constraint>
        <display-name>SecureChannelConstraint</display-name>
        <web-resource-collection>
            <web-resource-name>Entire site is protected through SSL</web-resource-name>
            <description />
            <url-pattern>/contextB/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <description>Require encrypted channel</description>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>ContextBPolicy</realm-name>
        <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/loginError.jsp</form-error-page>
        </form-login-config>
    </login-config>

    <security-role>
        <description/>
        <role-name>USER</role-name>
    </security-role>

</web-app>

ContextB jboss-web.xml

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
    <security-domain>java:/jaas/ContextBPolicy</security-domain>
</jboss-web>

Content of standalone.xml

<security-domain name="ContextBPolicy">
    <authentication>
        <login-module code="org.ContextBLoginModule" flag="required"/>
    </authentication>
</security-domain>

(...)

<security-domain name="RequireCertificateDomain">
    <authentication>
        <login-module code="CertificateRoles" flag="required">
            <module-option name="securityDomain" value="RequireCertificateDomain"/>
            <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>
            <module-option name="usersProperties" value="file:c:/tmp/my-users.properties"/>
            <module-option name="rolesProperties" value="file:c:/tmp/my-roles.properties"/>
        </login-module>
    </authentication>
    <jsse keystore-password="changethis" keystore-url="file:c:/tmp/localhost.jks" truststore-password="changethis" truststore-url="file:c:/tmp/cacerts.jks"/>
</security-domain>

(...)

<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
    <configuration>
        <jsp-configuration x-powered-by="false"/>
    </configuration>
    <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
    <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
        <ssl name="ssl" key-alias="localhost" password="changethis" certificate-key-file="../standalone/configuration/localhost.jks" verify-client="require" ca-certificate-file="../standalone/configuration/cacerts.jks" truststore-type="JKS"/>
    </connector>
    <virtual-server name="default-host" enable-welcome-root="true">
        <alias name="localhost"/>
        <alias name="example.com"/>
    </virtual-server>
</subsystem>
Was it helpful?

Solution 3

In my opinion, it's impossible to do this based on the http endpoint.

Reason being that the SSL/TLS-handshake happens BEFORE the client sends its http request to the server.

The endpoint (eg /contextA) resides in that http request!

At the start of the SSL/TLS-handshake, only the hostname (eg example.com) is available (and only if the client has SNI enabled).

So you'll need 2 different hostnames for this. For example contexta.example.com and contextb.example.com

OTHER TIPS

It is possible, since you want to configure different type of authentication for different WebApplications.

Please fix the value of verify-client to want:

<connector name="https" ...>
    <ssl .. verify-client="want" .../>
</connector>

Added

According to JBoss documentation related to the verify-client attribute: http://docs.jboss.org/jbossweb/7.0.x/config/ssl.html

Set to "true" if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to "want" if you want the SSL stack to request a client Certificate, but not fail if one isn't presented.

It is correct that if verify-client=”true” JBoss requires certificate. But if you access a certificate when verify-client="want" JBOSS should require a client certificate. If a brother contains a client certificate and an application is protected by the client certificate authentication (CLIENT-CERT in web.xml) it should success.

You can do this by defining a realm that requires a cert:

<security-realm name="CertRequiredRealm">
    <authentication>
        <truststore path="mytruststore.jks" password="mytruststorepassword"/>
    </authentication>
</security-realm>

Then put your WebApplication in that realm:

in WEB-INF/web.xml:

<login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>CertRequiredRealm</realm-name>
</login-config>
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top