Client PKI certificate authentication with Wildfly 8 sends 404

0
votes

I am trying to get client certificate authentication via smartcard working with Wildfly 8. It was previously working with JBoss AS but Wildfly went and changed things. I have imported the proper certificates into my keystore.

This is my standalone.xml:

        <security-realm name="SSLRealm">
            <server-identities>
                <ssl protocol="TLSv1">
                    <keystore path="server.keystore" keystore-password="password" alias="server"/>
                </ssl>
            </server-identities>
            <authentication>
                <truststore path="server.keystore" keystore-password="server.keystore"/>
            </authentication>
        </security-realm>

....

    <subsystem xmlns="urn:jboss:domain:undertow:1.2">
        <buffer-cache name="default"/>
        <server name="default-server">
            <http-listener name="default" socket-binding="http"/>
            <https-listener name="https" socket-binding="https" security-realm="SSLRealm" verify-client="REQUESTED"/>
            <host name="default-host" alias="localhost">
                <filter-ref name="gzipFilter" predicate="not min-content-size[500]"/>
            </host>
        </server>
        <servlet-container name="default">
            <jsp-config development="true" target-vm="1.8" x-powered-by="false"/>
            <websockets/>
        </servlet-container>
        <filters>
            <gzip name="gzipFilter"/>
        </filters>
    </subsystem>

...

            <security-domain name="cert-login" cache-type="default">
                <jsse keystore-password="password" keystore-url="server.keystore" truststore-password="password" truststore-url="server.keystore" client-auth="true"/>
                <authentication>
                    <login-module code="Certificate" flag="required">
                        <module-option name="securityDomain" value="cert-login"/>
                        <module-option name="password-stacking" value="useFirstPass"/>
                    </login-module>
                    <login-module code="Identity" flag="required">
                        <module-option name="roles" value="certuser"/>
                    </login-module>
                </authentication>
            </security-domain>

...

        <logger category="org.wildfly.extension.undertow">
            <level name="DEBUG"/>
        </logger>
        <logger category="org.jboss.as.security">
            <level name="TRACE"/>
        </logger>
        <logger category="org.jboss.security">
            <level name="TRACE"/>
        </logger>

jboss-web.xml:

<jboss-web>
   <context-root>/</context-root>
   <security-domain>cert-login</security-domain>
</jboss-web>

... and my web.xml

  <security-constraint>
  <web-resource-collection>
     <web-resource-name>Cert Login Page</web-resource-name>
     <url-pattern>/cert/detect</url-pattern>
  </web-resource-collection>

  <auth-constraint>
     <role-name>certuser</role-name>
  </auth-constraint>
</security-constraint>

<login-config>
  <auth-method>CLIENT-CERT</auth-method>
</login-config>

<security-role>
  <role-name>certuser</role-name>
</security-role>

What happens when I go to /cert/detect is I get a 404. Not errors or anything. I have been spinning my wheels for days trying to figure out what the problem is.

1
javaconfigurationwildflyx509jaas

1 Answers

1
votes

The problem ended up being nothing to do with the Wildfly configuration, I just needed to add an additional certificate to the server.keystore. The 404 was a red herring.