ansaurus

Question

Answer 1

+1 A:

Have you reloaded your web application since you made your changes?

Brabster 2010-03-04 20:14:34

yeah, I restarted it. Is that what you mean?

sixtyfootersdude 2010-03-04 20:18:27

yep. Also you saw the JBoss note on the page you linked to about ignored redirects and that's not the problem? Your setup looks OK to me although I've never set up CLIENT-CERT before....

Brabster 2010-03-04 20:26:17

Huh, that may actually be the problem... Looking into it right now. Trying to get snoop working to test what port it is connecting to but can't seem to get it to work. Will come back with an answer.

sixtyfootersdude 2010-03-05 20:21:31

Answer 2

+1 A:

I assume port <C> is HTTP and since you have configured <transport-guarantee> CONFIDENTIAL </transport-guarantee> hence port <C> is blocked.

Port <B> does uses SSL which satisfies <transport-guarantee> CONFIDENTIAL </transport-guarantee> hence it is not blocked.

.

You are missing few elements in your web.xml configuration. You don't have any authorization constraints on your web resources. Hence when you access from port <B> even though you are not authneticated you are still authorized to access the resources as you have not put any auth-constraints on your resourses.

You need to have list of <security-role> containing <role-name> that can access this application.

<security-constraint> for <web-resource-collection> should have <auth-constraint> telling which <role-name> to give access to and others will be restricted.

The roles configured above are JEE roles. Container(JBoss) needs to be configured to map authenticated roles to JEE roles.

Reference:

http://java.sun.com/javaee/5/docs/tutorial/doc/bncbe.html

http://community.jboss.org/wiki/RoleMappingLoginModule

.

Updated copy of above web.xml

<!-- Force SSL for entire site as described here: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<security-constraint>

        <!-- defines resources to be protected (in this case everything)-->
        <web-resource-collection>
                <!-- name for the resource, can be anything you like -->
                <!-- Question: is this referenced anywhere else? -->
                <web-resource-name>
                        Entire Application
                </web-resource-name>

                <!-- protect the entire application -->
                <url-pattern>
                        /*
                </url-pattern>
        </web-resource-collection>

        <auth-constraint>
            <description>Authorized Roles</description>
            <role-name>ALL_AUTHENTICATED</role-name>
        </auth-constraint>


        <!-- defines protection level for protected resource -->
        <user-data-constraint>
                <!-- data cannot be observed or changed                                 -->
                <!-- how it works in tomcat:                                            -->
                <!--    if (set to integral or confidential && not using ssl)           -->
                <!--            redirect sent to client, redirecting them to same url   -->
                <!--            but using the port defined in the redirect port         -->
                <!--            attribute in the <Connector> element of server.xml      -->
                <!--            default is 443, so in other words user is redirected    -->
                <!--            to same page using ssl.                                 -->
                <!-- BUT it is differnt for JBOSS!!  See this link: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
                <transport-guarantee>
                        CONFIDENTIAL
                </transport-guarantee>
        </user-data-constraint>

</security-constraint>

<login-config>

        <!-- Client-side SSL certificate based authentication.  The cert is passed to the server to authenticate -->
        <!-- I am pretty sure that CLIENT-CERT should have a dash NOT an underscore see: http://www.mail-archive.com/[email protected]/msg139845.html -->
        <!-- CLIENT-CERT uses a client's AND server's certificates.  See: http://monduke.com/2006/01/19/the-mysterious-client-cert/ -->
        <auth-method>
                CLIENT-CERT
        </auth-method>     
</login-config>
<security-role>
    <description>All authenticated users</description>
    <role-name>ALL_AUTHENTICATED</role-name>
</security-role>

.

In security there are two things, authentication and authorization.

Authentication: the act of verifying that a user is a subject and granting the user certain principals; "who you are."

Authorization: the act of verifying that a user is allowed to access a certain resource; "what you may do."

<auth-method> tell how to authenticate a user or how to ask who you are. If user does not have client certificate, he is unauthenticated user. It does not tell what user can do.

However <auth-constraint> is what you may do. If you put <auth-constraint>, then only roles mentioned in there can access the respective web resource. You could still have user who is not authenticated but is authorized to access certain resources if resources are not constrainted to certian roles.

Gladwin Burboz 2010-03-10 16:37:48

Hey Gladwin, thanks for the feed back. My assumption was that if I did not include roles the auth-method woudl apply to all of the roles. Is this assumption incorrect?

sixtyfootersdude 2010-03-15 15:20:21

I have updated my answer at the end to explain your doubts.

Gladwin Burboz 2010-03-15 20:04:31

ansaurus

tags:

views:

answers:

Changes to JBoss web.xml have no effect

Update

related questions