Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10290

Bare remoting connector with SSL context with need-client-auth doesn't require the client to authenticate

    Details

      Description

      I create a bare remoting connector with a SSL context which should require mutual trust:

        /subsystem=elytron/key-store=example-key-store:add(path=server.keystore, relative-to=jboss.server.config.dir, credential-reference={clear-text=123456}, type=JKS)
        /subsystem=elytron/key-managers=example-key-manager:add(key-store=example-key-store, algorithm=SunX509, credential-reference={clear-text=123456})
        /subsystem=elytron/trust-managers=example-trust-manager:add(key-store=example-key-store, algorithm=SunX509)
        /subsystem=elytron/server-ssl-context=example-ssl-context:add(trust-managers=example-trust-manager, key-managers=example-key-manager, need-client-auth=true, want-client-auth=true)
       /subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain)
        /socket-binding-group=standard-sockets/socket-binding=remoting-ssl-sb:add(port=4448)
        /subsystem=remoting/connector=remoting-ssl-connector:add(socket-binding=remoting-ssl-sb, sasl-authentication-factory=application-sasl-authentication, ssl-context=example-ssl-context)
      

      However, the client is able to authenticate (just using SASL) even if it doesn't use any keystore, even though mutual trust should be established. When using a https-remoting connector secured the equivalent way, the client can't authenticate without a keystore.\

      When sasl-authentication-factory is removed, no authentication will be done through SSL. SSL will only be used for encrypting the communication.

      Bare remoting connector with SSL secured by picketbox works as expected as well (encryption and authentication), this looks Elytron-related.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                dlofthouse Darran Lofthouse
                Reporter:
                jmartisk Jan Martiska
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: