JBOSS 7 有两个上下文.一个使用 SSL 相互身份验证,另一个仅使用 SSL [英] JBOSS 7 with two contexts. One with SSL Mutual Auth and the other just SSL
问题描述
我们在配置 JBoss 时遇到问题.我们正在尝试对其进行配置,以使其可以同时使用相互身份验证并且不使用它.喜欢:
We are having a problem to configure our JBoss. We are tring to configure it to make it possible to use at the same time Mutual auth and to don't use it. Like:
https://example.com/contextA/(需要 SSL 相互认证)https://example.com/contextB/(仅 SSL)
https://example.com/contextA/ (Requires SSL Mutual auth) https://example.com/contextB/ (Just SSL)
有可能吗?
我能做的是让或所有 JBoss 使用 SSL 相互身份验证或不使用.如何将其配置为同时使用?
What I could do is to make or all the JBoss use SSL mutual auth or don't. How can I configure it to be both at the same time?
我的 contextA web.xml:
My contextA web.xml:
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
<display-name>ContextA</display-name>
<security-constraint>
<web-resource-collection>
<web-resource-name>services</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<role-name />
</security-role>
</web-app>
我的上下文一个 jboss-web.xml
My contextA jboss-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>RequireCertificateDomain</security-domain>
</jboss-web>
ContextB web.xml
ContextB web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<display-name>ContextB</display-name>
<jsp-config>
<jsp-property-group>
<url-pattern>*.jsp</url-pattern>
<trim-directive-whitespaces>true</trim-directive-whitespaces>
</jsp-property-group>
</jsp-config>
<session-config>
<session-timeout>10</session-timeout>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>SecureApplicationConstraint</display-name>
<web-resource-collection>
<web-resource-name>ContextB</web-resource-name>
<description>Auth applications are secured</description>
<url-pattern>/login/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Only Users with roles are allowed</description>
<role-name>USER</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>SecureChannelConstraint</display-name>
<web-resource-collection>
<web-resource-name>Entire site is protected through SSL</web-resource-name>
<description />
<url-pattern>/contextB/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<description>Require encrypted channel</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>ContextBPolicy</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginError.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>USER</role-name>
</security-role>
</web-app>
ContextB jboss-web.xml
ContextB jboss-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/ContextBPolicy</security-domain>
</jboss-web>
standalone.xml 的内容
Content of standalone.xml
<security-domain name="ContextBPolicy">
<authentication>
<login-module code="org.ContextBLoginModule" flag="required"/>
</authentication>
</security-domain>
(...)
<security-domain name="RequireCertificateDomain">
<authentication>
<login-module code="CertificateRoles" flag="required">
<module-option name="securityDomain" value="RequireCertificateDomain"/>
<module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>
<module-option name="usersProperties" value="file:c:/tmp/my-users.properties"/>
<module-option name="rolesProperties" value="file:c:/tmp/my-roles.properties"/>
</login-module>
</authentication>
<jsse keystore-password="changethis" keystore-url="file:c:/tmp/localhost.jks" truststore-password="changethis" truststore-url="file:c:/tmp/cacerts.jks"/>
</security-domain>
(...)
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<configuration>
<jsp-configuration x-powered-by="false"/>
</configuration>
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="ssl" key-alias="localhost" password="changethis" certificate-key-file="../standalone/configuration/localhost.jks" verify-client="require" ca-certificate-file="../standalone/configuration/cacerts.jks" truststore-type="JKS"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
推荐答案
在我看来,基于 http 端点是不可能做到这一点的.
In my opinion, it's impossible to do this based on the http endpoint.
原因是 SSL/TLS 握手发生在客户端将其 http 请求发送到服务器之前.
Reason being that the SSL/TLS-handshake happens BEFORE the client sends its http request to the server.
端点(例如 /contextA)驻留在那个 http 请求中!
The endpoint (eg /contextA) resides in that http request!
在 SSL/TLS 握手开始时,只有主机名(例如 example.com)可用(并且仅当客户端启用了 SNI).
At the start of the SSL/TLS-handshake, only the hostname (eg example.com) is available (and only if the client has SNI enabled).
因此,为此您需要 2 个不同的主机名.例如 contexta.example.com 和 contextb.example.com
So you'll need 2 different hostnames for this. For example contexta.example.com and contextb.example.com
这篇关于JBOSS 7 有两个上下文.一个使用 SSL 相互身份验证,另一个仅使用 SSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
