JBoss Application-politica ignorato in mutua / client-cert auth con PBESecurityDomain

Question

Con la seguente, reciproca cert client, SSL (TLS) Lavori di stretta di mano per un endpoint riposo (! Yay) - convalidato tramite il test e il debug: javax.net logging & Wireshark. Ma ...

prima osservazione: HTTPServletRequest e JAX-RS annotato SecurityContext ha nulla informazioni Principal

2 ° osservazione: Manomissione del login-config.xml, contenente gli elementi di applicazione di politica, non ha alcun effetto

In breve, TLS funziona ma il trasferimento del CERT DN all'oggetto HTTPServletRequest nel thread richiesta non impedisce l'applicazione da far salire sul ID del chiamante. Qualcuno ha qualche consiglio?

Il JBoss 6:

deploy / jbossweb.sar / server.xml:

<Connector protocol="HTTP/1.1" debug="10"
       SSLEnabled="true"
       ...
       secure="true"
       clientAuth="true"
       sslProtocol = "TLS"
       securityDomain="java:/jaas/mydomain"
       SSLImplementation="org.jboss.net.ssl.JBossImplementation" />

deploy / jbossweb.sar / META-INF / jboss-beans.xml:

<depends>jboss.security:service=PBESecurityDomain</depends>

deploy / sicurezza-service.xml:

<?xml version="1.0" encoding="UTF-8"?>
<server>
  <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
    name="jboss.security:service=PBESecurityDomain">
    <constructor>           <arg type="java.lang.String" value="mydomain"/>
    </constructor>
    <attribute name="KeyStoreURL">${jboss.server.home.dir}/mykeystore.jks</attribute>
    <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/mykeystorepass.pbe</attribute>
    <attribute name="TrustStoreURL">${jboss.server.home.dir}/mytruststore.jks</attribute>
    <attribute name="TrustStorePass">password</attribute>
    <attribute name="Salt">abunchofrandomchars</attribute>
    <attribute name="IterationCount">13</attribute>
    <depends>jboss.security:service=JaasSecurityManager</depends>
  </mbean>
</server>

deploy / sicurezza / security-jboss-beans.xml:

<bean name="XMLLoginConfig" class="org.jboss.security.auth.login.XMLLoginConfig">
   <property name="configResource">login-config.xml</property>
</bean>
<bean name="SecurityConfig" class="org.jboss.security.plugins.SecurityConfig">
   <property name="mbeanServer"><inject bean="JMXKernel" property="mbeanServer"/></property>
   <property name="defaultLoginConfig"><inject bean="XMLLoginConfig"/></property>
</bean>

conf / login-config.xml:

  <application-policy name="mydomain">
    <authentication>
       <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule"
          flag = "required">
          <module-option name="password-stacking">useFirstPass</module-option>
          <module-option name="securityDomain">java:/jaas/mydomain</module-option>
          <module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option>
          <module-option name="principalClass">org.jboss.security.auth.certs.SubjectDNMapping</module-option>
       </login-module>
       <login-module code="org.jboss.security.auth.spi.UserRolesLoginModu"
          flag = "required">
          <module-option name="password-stacking">useFirstPass</module-option>
          <module-option name="usersProperties">users.properties</module-option>
          <module-option name="rolesProperties">roles.properties</module-option>
       </login-module>
    </authentication>
 </application-policy>

guerra / WEB-INF / jboss-web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss-web PUBLIC
    "-//JBoss//DTD Web Application 2.4//EN"
    "http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd">
<jboss-web>
    <security-domain>java:/jaas/mydomain</security-domain>
    <context-root>/myapp</context-root>
</jboss-web>

Answer 1

Aggiungere il ClientLoginModule speciale login-context.xml per risolvere il problema principale nullo.

<login-module code="org.jboss.security.ClientLoginModule" flag="required"></login-module>