当我使用 APR 并且并非所有 Web 部署都使用 CLIENT-CERT 身份验证时,如何在 JBoss 5.1.0.GA 中获得客户端证书身份验证?
注意:我将回答我自己的问题...只是想将这个花絮添加到互联网的集体智慧中。
我已经在我的 JBoss 5.1.0.GA 服务器上成功配置了证书身份验证,很大程度上借助此页面上的信息: http://docs.jboss.org/jbossas/jboss4guide/r1/html/ch8.chapter.html
我有一个上下文(我们称之为 /openContext )不需要任何身份验证,另一个上下文(我们称之为 /securedContext)需要客户端证书身份验证(即,它配置为在web.xml)。当使用 JBoss 的默认 Web 连接器时,效果非常好。我可以点击 http://myhost/openContext 并且不会提示我输入证书,但是当我点击 http://myhost/securedContext 时,系统会提示我如我所料,获取客户端证书。
但是,当我安装 JBossWeb Native 并使用 APR 作为我的 Web 连接器时,系统不再提示我当我点击 http://myhost/securedContext 时获取证书。
server.xml 中的 APR 连接器配置如下所示:
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
SSLProtocol="SSLv3+TLSv1"
SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"
SSLRandomSeed="/dev/urandom"
SSLCertificateFile="/etc/pki/tls/certs/mycert.crt"
SSLCertificateKeyFile="/etc/pki/tls/private/mycert.key"
SSLPassword="mypasswordwhichiassureyouisbetterthanthisone"
SSLCACertificateFile="/etc/pki/tls/certs/clientCAs.crt"
/>
我还尝试将 SSLVerifyClient 参数添加到该配置中并将其设置为可选,但这会提示在 /openContext 和 /securedContext 中输入证书,这不是我想要的行为。
如何让带有 APR 的 JBoss 要求对一个 Web 上下文进行证书身份验证,而不要求对另一个 Web 上下文进行证书身份验证?
Note: I will be answering my own question... just wanted to add this tidbit to the collective wisdom of The Internets.
I've successfully configured certificate authentication on my JBoss 5.1.0.GA server, largely with the help of the information on this page: http://docs.jboss.org/jbossas/jboss4guide/r1/html/ch8.chapter.html
I have one context (let's call it /openContext) that doesn't require any authentication, and another context (let's call it /securedContext) that requires client certificate authentication (i.e., it's configured to use CLIENT-CERT in web.xml). When using JBoss's default web connector, this works splendidly. I can hit http://myhost/openContext and I'm not prompted for a certificate, but when I hit http://myhost/securedContext, I'm prompted for a client certificate as I'd expect.
However, when I install JBossWeb Native and use APR as my web connector, I'm no longer prompted for a certificate when I hit http://myhost/securedContext.
My APR connector config in server.xml looks like:
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
SSLProtocol="SSLv3+TLSv1"
SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"
SSLRandomSeed="/dev/urandom"
SSLCertificateFile="/etc/pki/tls/certs/mycert.crt"
SSLCertificateKeyFile="/etc/pki/tls/private/mycert.key"
SSLPassword="mypasswordwhichiassureyouisbetterthanthisone"
SSLCACertificateFile="/etc/pki/tls/certs/clientCAs.crt"
/>
I've also tried adding the SSLVerifyClient parameter to that configuration and setting it to optional, but that prompts for a certificate in both /openContext and /securedContext, which isn't the behavior I want.
How can I get JBoss with APR to require certificate authentication for one web context, but not another web context?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
对我有用的是添加一个全新的 Web 连接器,并让客户端使用该备用端口来保护安全的 Web 上下文。我的连接器配置现在如下所示:
现在,如果我点击
http://myhost:8443/openContext,系统不会提示我输入证书,但是当我点击http://myhost 时:8543/securedContext,系统提示我输入证书。当然,我仍然可以使用“错误”端口访问任一网络应用程序,但对于我的目的来说,后果可以忽略不计。如果客户端点击http://myhost:8443/securedContext,他们只会收到 HTTP 身份验证错误。如果客户端点击http://myhost:8543/openContext,系统会提示他们输入客户端证书。如果他们提供了一个,那就太好了(尽管我不在乎你是谁),如果他们不提供一个或提供了一个无效的端口,他们就会收到 HTTP 身份验证错误(他们应该首先使用正确的端口) )。我很确定有一种替代方法可以让这个工作不需要第二个连接器,只需将 httpd 放在 JBoss 前面并在那里进行一些巧妙的配置,但这对于我的目的来说已经足够好了。
What worked for me was to just add a whole new web connector, and have clients use that alternate port for the secured web context. My connectors config now looks like:
Now, if I hit
http://myhost:8443/openContext, I'm not prompted for a certificate, but when I hithttp://myhost:8543/securedContext, I am prompted for a certificate. Of course, I can still access either web app with the "wrong" port, but the consequences are negligible for my purposes. If a client hitshttp://myhost:8443/securedContext, they simply get an HTTP authentication error. If a client hitshttp://myhost:8543/openContext, they're prompted for a client certificate. If they provide one, great (though I don't care who you are), and if they don't provide one or provide an invalid one, they get an HTTP auth error (they should have used the correct port in the first place).I'm pretty sure there's an alternative way to get this working without requiring a second connector by putting httpd in front of JBoss and doing some clever configuration there, but this worked well enough for my purposes.