• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

Certificate based security

 
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm trying to implement certificate based security in my application to secure by web services. I've found a little information, but was hoping that someone who has actually implemented it could help me out. Here's what I've got so far:

In order to lock down the request I added the following information to web.xml:

<!-- security constraint for web services -->

<security-constraint>
<web-resource-collection>
<web-resource-name>SecuredResources</web-resource-name>
<url-pattern>/services/MySvc</url-pattern>
</web-resource-collection>

<auth-constraint>
<role-name>W</role-name>
</auth-constraint>

<user-data-constraint>
<transport-guarantee>INTEGRAL</transport-guarantee>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>UserDatabase</realm-name>
</login-config>

<security-role>
<role-name>W</role-name>
</security-role>

and the following entry to jboss-web.xml:

<jboss-web>
<security-domain>java:/jaas/cert-login</security-domain>
</jboss-web>


This means that the authentication for that security constraint will go to my cert-login entry in login-conf.xml (right?).

So, in login-conf.xml:

<!-- database based certificate authentication/authorization -->
<application-policy name = "cert-login">
<authentication>
<login-module code="org.jboss.security.auth.spi.BaseCertLoginModule"
flag = "required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="securityDomain">java:/jaas/ws-cert</module-option>
</login-module>
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "dsJndiName">java:/MySqlDS</module-option>
<module-option name = "principalsQuery">select password from user where user_id=?</module-option>
<module-option name = "rolesQuery">select user_role, 'Roles' from user where user_id=?</module-option>
</login-module>
</authentication>
</application-policy>

this creates the cert-login entry. BaseCertLoginModule kept complaining about needing a security domain so I added the line with ws-cert and then added a corresponding securityDomain entry to jboss-service.xml:

<mbean code="org.jboss.security.plugins.JaasSecurityDomain"
name="jboss.web:service=SecurityDomain">
<constructor>
<arg type="java.lang.String" value="ws-cert"/>
</constructor>
<attribute name="KeyStoreURL">${jboss.server.config.url}/security/dev.client.keystore</attribute>
<attribute name="KeyStorePass">******</attribute>
</mbean>

I'm not sure which keystore I should be using here. The client keystore (same as the client should be sending with his request) or the server one?

Finally, would the database based authorization (setting roles) work as I have it setup? Is there a better login module (or combination) to use?

I would appreciate any assistance.
 
There were millions of the little blood suckers. But thanks to this tiny ad, I wasn't bitten once.
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic