Win a copy of Spring Boot in Practice this week in the Spring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Tim Cooke
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
  • Liutauras Vilda
  • Henry Wong
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Al Hobbs
  • Carey Brown
  • Piet Souris
  • Mikalai Zaikin
  • Himai Minh

Certificate based security

Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm trying to implement certificate based security in my application to secure by web services. I've found a little information, but was hoping that someone who has actually implemented it could help me out. Here's what I've got so far:

In order to lock down the request I added the following information to web.xml:

<!-- security constraint for web services -->






and the following entry to jboss-web.xml:


This means that the authentication for that security constraint will go to my cert-login entry in login-conf.xml (right?).

So, in login-conf.xml:

<!-- database based certificate authentication/authorization -->
<application-policy name = "cert-login">
<login-module code=""
flag = "required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="securityDomain">java:/jaas/ws-cert</module-option>
<login-module code = ""
flag = "required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "dsJndiName">java:/MySqlDS</module-option>
<module-option name = "principalsQuery">select password from user where user_id=?</module-option>
<module-option name = "rolesQuery">select user_role, 'Roles' from user where user_id=?</module-option>

this creates the cert-login entry. BaseCertLoginModule kept complaining about needing a security domain so I added the line with ws-cert and then added a corresponding securityDomain entry to jboss-service.xml:

<mbean code=""
<arg type="java.lang.String" value="ws-cert"/>
<attribute name="KeyStoreURL">${jboss.server.config.url}/security/dev.client.keystore</attribute>
<attribute name="KeyStorePass">******</attribute>

I'm not sure which keystore I should be using here. The client keystore (same as the client should be sending with his request) or the server one?

Finally, would the database based authorization (setting roles) work as I have it setup? Is there a better login module (or combination) to use?

I would appreciate any assistance.
Consider Paul's rocket mass heater.
    Bookmark Topic Watch Topic
  • New Topic