Hello,
I want to secure a servlet so that you can connect to it only if you have a certificate.
To do it, firstly I have setup tomcat to support https as in scenarion 3 here:
http://wiki.jboss.org/wiki/Wiki.jsp?page=SSLSetup
The only difference is that in server.xml, I left clientAuth="false", as I want the rest of the pages to be accessible in a normal way.
The result I get is, when I don't have the certificate registered, it denies access, but when I have - I get an error message:
HTTP Status 401 - Cannot authenticate with the provided credentials
Did I miss something?
First off, see my comments at http://www.jboss.com/index.html?module=bb&op=viewtopic&t=86289.
SSL vs. CLIENT-CERT authentication are two separate issues.
That said, we would need to see some trace logging of JBoss security at the point when a user attempts to access secured resource to see what is going on.
Hello,
thanks for the link, that clarified a little.
Now I'm wondering - where do I put the certificates (server ones - server.keystore file)? Do I bundle them with the web application or put it in the conf directory (I tried both, with the same effect).
I'm not sure also what does "The localhost.keystore would need this cert stored with an alias of CN=unit-tests-client, OU=JBoss Inc., O=JBoss Inc., ST=Washington, C=US and the jmx-console-roles.properties would also need an entry for the same entry." mean - from the manual - should I import the client certifiacte to server.keystore?
Finally, how do you enable trace logging of JBoss Security? I tried adding to log4j.xml:
but that didn't help :)