aspose file tools*
The moose likes JBoss/WildFly and the fly likes Certificate based security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "Certificate based security" Watch "Certificate based security" New topic
Author

Certificate based security

B Rook
Greenhorn

Joined: Dec 27, 2003
Posts: 13
I'm trying to implement certificate based security in my application to secure by web services. I've found a little information, but was hoping that someone who has actually implemented it could help me out. Here's what I've got so far:

In order to lock down the request I added the following information to web.xml:

<!-- security constraint for web services -->

<security-constraint>
<web-resource-collection>
<web-resource-name>SecuredResources</web-resource-name>
<url-pattern>/services/MySvc</url-pattern>
</web-resource-collection>

<auth-constraint>
<role-name>W</role-name>
</auth-constraint>

<user-data-constraint>
<transport-guarantee>INTEGRAL</transport-guarantee>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>UserDatabase</realm-name>
</login-config>

<security-role>
<role-name>W</role-name>
</security-role>

and the following entry to jboss-web.xml:

<jboss-web>
<security-domain>java:/jaas/cert-login</security-domain>
</jboss-web>


This means that the authentication for that security constraint will go to my cert-login entry in login-conf.xml (right?).

So, in login-conf.xml:

<!-- database based certificate authentication/authorization -->
<application-policy name = "cert-login">
<authentication>
<login-module code="org.jboss.security.auth.spi.BaseCertLoginModule"
flag = "required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="securityDomain">java:/jaas/ws-cert</module-option>
</login-module>
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "dsJndiName">java:/MySqlDS</module-option>
<module-option name = "principalsQuery">select password from user where user_id=?</module-option>
<module-option name = "rolesQuery">select user_role, 'Roles' from user where user_id=?</module-option>
</login-module>
</authentication>
</application-policy>

this creates the cert-login entry. BaseCertLoginModule kept complaining about needing a security domain so I added the line with ws-cert and then added a corresponding securityDomain entry to jboss-service.xml:

<mbean code="org.jboss.security.plugins.JaasSecurityDomain"
name="jboss.web:service=SecurityDomain">
<constructor>
<arg type="java.lang.String" value="ws-cert"/>
</constructor>
<attribute name="KeyStoreURL">${jboss.server.config.url}/security/dev.client.keystore</attribute>
<attribute name="KeyStorePass">******</attribute>
</mbean>

I'm not sure which keystore I should be using here. The client keystore (same as the client should be sending with his request) or the server one?

Finally, would the database based authorization (setting roles) work as I have it setup? Is there a better login module (or combination) to use?

I would appreciate any assistance.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Certificate based security