I'm trying to implement certificate based security in my application to secure by web services. I've found a little information, but was hoping that someone who has actually implemented it could help me out. Here's what I've got so far:
In order to lock down the request I added the following information to web.xml:
<!-- security constraint for web services -->
<security-constraint>
<web-resource-collection>
<web-resource-name>SecuredResources</web-resource-name>
<url-pattern>/services/MySvc</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>W</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>INTEGRAL</transport-guarantee>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>UserDatabase</realm-name>
</login-config>
<security-role>
<role-name>W</role-name>
</security-role>
and the following entry to jboss-web.xml:
<jboss-web>
<security-domain>
java:/jaas/cert-login</security-domain>
</jboss-web>
This means that the authentication for that security constraint will go to my cert-login entry in login-conf.xml (right?).
So, in login-conf.xml:
<!-- database based certificate authentication/authorization -->
<application-policy name = "cert-login">
<authentication>
<login-module code="org.jboss.security.auth.spi.BaseCertLoginModule"
flag = "required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="securityDomain">java:/jaas/ws-cert</module-option>
</login-module>
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name = "unauthenticatedIdentity">guest</module-option>
<module-option name = "dsJndiName">java:/MySqlDS</module-option>
<module-option name = "principalsQuery">select password from user where user_id=?</module-option>
<module-option name = "rolesQuery">select user_role, 'Roles' from user where user_id=?</module-option>
</login-module>
</authentication>
</application-policy>
this creates the cert-login entry. BaseCertLoginModule kept complaining about needing a security domain so I added the line with ws-cert and then added a corresponding securityDomain entry to jboss-service.xml:
<mbean code="org.jboss.security.plugins.JaasSecurityDomain"
name="jboss.web:service=SecurityDomain">
<constructor>
<arg type="java.lang.String" value="ws-cert"/>
</constructor>
<attribute name="KeyStoreURL">${jboss.server.config.url}/security/dev.client.keystore</attribute>
<attribute name="KeyStorePass">******</attribute>
</mbean>
I'm not sure which keystore I should be using here. The client keystore (same as the client should be sending with his request) or the server one?
Finally, would the database based authorization (setting roles) work as I have it setup? Is there a better login module (or combination) to use?
I would appreciate any assistance.