This authentication mechanism is almost same as
mutual authentication. But there are some differences between those two
authentication mechanisms. In client cert authentication, we don’t have to
enter usernames and passwords. Web browser keeps server certificates and
verifies with certificate that the server sends at the beginning of a
conversation.
Let’s see how to implement client cert
authentication.
We have to edit some configuration files to achieve
client cert authentication.
First we have to change the web.xml in the
application. Add following authentication method within login-config tag. Other
tags are remaining same as the mutual authentication.
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>JBoss
JMX Console</realm-name>
</login-config>
Go to following directory and open the server.xml
file.
C:\jboss\jboss-eap-5.1\jboss-as\server\default\deploy\jbossweb.sar
Then find following tag and edit it as follows.
<Realm
className="org.jboss.web.tomcat.security.JBossWebRealm"
certificatePrincipal="org.jboss.security.auth.certs.SubjectCNMapping"
allRolesMode="authOnly"/>
Then create a security domain in login-config.xml as
follows.
<application-policy
name="simple-security-domain">
<authentication>
<login-module
code="org.jboss.security.auth.spi.BaseCertLoginModule"
flag="required">
<module-option
name="password-stacking">useFirstPass</module-option>
<module-option
name="securityDomain">java:/jaas/simple-security-domain</module-option>
</login-module>
<login-module
code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag="required">
<module-option
name="password-stacking">useFirstPass</module-option>
<module-option
name="usersProperties">props/cert-user.properties</module-option>
<module-option
name="rolesProperties">props/cert-role.properties</module-option>
</login-module>
</authentication>
</application-policy>
We need to create two new properties files inside
the props directory called cert-user.properties as cert-role.proerties. but the
names can be any names whatever you like. In this case, cert-user.properties
file should be empty. Then open the
cert-role.properties file and following things to that file.
Username=admin
Username2=guest
This username has some special things. This username
should be same as the client certificate’s common name and the alias of client
certificate that saved in server.trustore.
Then go to jboss-web.xml file in the application add
security domain as discussed in early login module topics.
After that we have to add mbean into jboss server.
This mbean is a service. So we have to add new xml file into following
directory. File name of that xml should be somename-service.xml. In my case,
the file name is jboss-service.xml.
C:\jboss\jboss-eap-5.1\jboss-as\server\default\deploy
Then add following code into the jboss-service.xml
file.
<mbean
code="org.jboss.security.plugins.JaasSecurityDomain"
name="jboss.ch8:service=SecurityDomain">
<constructor>
<arg
type="java.lang.String" value="simple-security-domain"/>
</constructor>
<attribute
name="KeyStoreURL">${jboss.server.home.dir}/conf/server.truststore</attribute>
<attribute name="KeyStorePass">password</attribute>
</mbean>
This password is the password for server.trustore.
We have described about client.pfx files in mutual
authentication section. As described in that section, we have to import
client.pfx file into the browser.
Now we are done with the client-cert login.
No comments:
Post a Comment