如何配置相互证书身份验证

时间:2015-04-08 12:33:01

标签: wildfly java-ee-7 client-certificates

我尝试使用wildfly 8.2完成客户端证书身份验证,我已将日志记录级别更改为ALL以使我能够看到来自org.jboss.security的错误

(注意:使用的密码用于演示)

下面是我在wildfly 8.2 standalone.xml中的配置

<security-realm name="SSLRealm">
    <server-identities>
        <ssl protocol="TLSv1">
            <keystore path="localhost.jks" relative-to="jboss.server.config.dir" keystore-password="localhost" alias="localhost"/>
        </ssl>
    </server-identities>
    <authentication>
        <truststore path="cacerts.jks" relative-to="jboss.server.config.dir" keystore-password="localhost"/>
    </authentication>
</security-realm>

我的安全域

<security-domain name="client-cert-policy" cache-type="default">
    <authentication>
        <login-module code="Certificate" flag="required">
            <module-option name="securityDomain" value="client-cert-policy"/>
        </login-module>
    </authentication>
    <jsse keystore-password="localhost" keystore-url="file:/${jboss.server.config.dir}/localhost.jks" truststore-password="localhost" truststore-url="file:/${jboss.server.config.dir}/cacerts.jks" client-auth="true"/>
</security-domain>

我的https-listerner 

<https-listener name="default-https" socket-binding="https" security-realm="SSLRealm" verify-client="REQUESTED"/>

在我的Web应用程序web.xml中

<security-constraint>
    <display-name>allpages</display-name>
    <web-resource-collection>
        <web-resource-name>all-res</web-resource-name>
        <description/>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description/>
    </auth-constraint>
    <user-data-constraint>
        <description/>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>client-cert-policy</realm-name>
</login-config>

在jboss.xml中

<context-root>/haven</context-root>
<security-domain>client-cert-policy</security-domain>

尽管如此,我的Web应用程序仍返回403错误页面

非常感谢任何帮助

1 个答案:

答案 0 :(得分:4)

最后我得到了client_auth,以下是修改后的工作

standalone.xml安全域中的

从Certificate更改为CertificateRoles,添加角色属性文件

<security-domain name="client-cert-policy" cache-type="default">
    <authentication>
        <login-module code="CertificateRoles" flag="required">
            <module-option name="securityDomain" value="client-cert-policy"/>
            <module-option name="rolesProperties" value="file:${jboss.server.config.dir}/user_roles.properties"/>
            <module-option name="defaultRolesProperties" value="file:${jboss.server.config.dir}/default_roles.properties"/>
        </login-module>
    </authentication>
    <jsse keystore-password="localhost" keystore-url="file:/${jboss.server.config.dir}/localhost.jks" truststore-password="localhost" truststore-url="file:/${jboss.server.config.dir}/cacerts.jks" client-auth="true"/>
</security-domain>

修改了web.xml以添加角色

<security-constraint>
    <display-name>allpages</display-name>
    <web-resource-collection>
        <web-resource-name>all-res</web-resource-name>
        <description/>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>sys_view</role-name>
    </auth-constraint>
    <user-data-constraint>
        <description/>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>client-cert-policy</realm-name>
</login-config>
<security-role>
    <description/>
    <role-name>sys_view</role-name>
</security-role>
相关问题
最新问题