Regarding : How to migrate a X509 Jaas LoginModule to Elytron custom Realm

Skip to first unread message

Akash gupta

Jan 4, 2022, 12:44:05 PMJan 4
to WildFly

Hope u are doing good.

current in our application 
we have a configured a X509 Jaas Authentication.

so our current authentication workflow happen as mention below

1. Client -> 2. Undertow (custom auth) -> 3. legacy security sub system custom login modules 4. authenitciated.

1. client
client present its certificate through browser

2. Undertow we have a written a custom authentication mechanism.
this is responsible for account verification by taking out the client certificates and marking the exchange as authenticated. and set principal for further workflow as part of undetow account .

3. uising legacy security ahving a loginmodule which which 
<security-domain name="ABSecurityDomain" cache-type="default">
                    <jsse client-auth="true" protocols="${ab.web.server.tls.protocols:TLSv1.2}" cipher-suites="${ab.web.server.tls.ciphers:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256}" keystore-url="${jboss.server.config.dir}/t.keystore" keystore-password="KS_PASSWORD" truststore-url="${jboss.server.config.dir}/t.truststore" truststore-password="TS_PASSWORD" keystore-type="pkcs12" truststore-type="pkcs12"/>
                        <login-module code="" module="" flag="requisite">
                            <module-option name="password-stacking" value="useFirstPass"/>
                            <module-option name="securityDomain" value="ABSecurityDomain"/>

can u please give guidence on above steps to migrate the above configuraiton for wildlfy 26 probably using a custom realm based configuration. for above mention steps on how what we can do for each steps.

Thanks for anitcipation,
Akash Gupta

Akash gupta

Jan 4, 2022, 1:13:07 PMJan 4
to WildFly

can u give some guidance for the above steps on how to back this by a custom realm. for the above mentions steps.

also needs some idea how elytron will wired client certificates as Evidence to custom realm i can see something is present.

  • how this client certificate will available as evidence to custom realm while auth flow will call verifyEvidence.
  • need a way to define a custom principal decoder extending EvidenceDecoder so we can get our principal based on our requirement. how to get pricipal for a certificate.

Diana Krepinska

Jan 5, 2022, 8:44:27 AMJan 5
to WildFly
Hello, I'll post my thoughts here as well.

To use client certificates for authentication to the realm you could use CLIENT_CERT HTTP authentication mechanism. Take a look at this blog post to see how it can be configured. There is also example of principal decoder that uses regular expression to decode the principal from client's certificate attribute.
Reply all
Reply to author
0 new messages