search

lscorcia / keycloak-cns-authenticator

Keycloak (https://www.keycloak.org/) custom authenticator for the Italian Carta Nazionale dei Servizi (CNS)
Apache License 2.0
11 stars 3 forks source link

standalone-ha.xml #2

Open amattsmith opened 3 years ago

amattsmith commented 3 years ago

Any chance you could include the standalone-ha.xml configuration file you are using for the X509 config? Once I migrated from keycloak 11.* and began going down the path of writing my own custom code, I can't get chrome to prompt for the certificate. I believe it is due to my standalone-ha.xml configuration. Any chance you could share your's? Thanks in advance!

lscorcia commented 3 years ago

Well, it really depends on your infrastructure. I never tried HA configs so I'm using the basic standalone.xml config. Here are the relevant snippets for my local dev VM (prod has a different setup):

<server>
      ...
     <profile>
        ...
        <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
            <buffer-cache name="default"/>
            <server name="default-server">
                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
                <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
                <https-listener name="https_cns" socket-binding="https_cns" security-realm="ApplicationRealm" verify-client="REQUESTED" enable-http2="true"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <http-invoker security-realm="ApplicationRealm"/>
                </host>
            </server>
            <servlet-container name="default">
                <jsp-config/>
                <websockets/>
            </servlet-container>
            <handlers>
                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
            </handlers>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
    </profile>
    <interfaces>
        <interface name="management">
            <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
        </interface>
        <interface name="public">
            <inet-address value="${jboss.bind.address:127.0.0.1}"/>
        </interface>
    </interfaces>
    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
        <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
        <socket-binding name="http" port="${jboss.http.port:8085}"/>
        <socket-binding name="https" port="${jboss.https.port:8443}"/>
        <socket-binding name="https_cns" port="8444"/>
        <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
        <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
        <socket-binding name="txn-recovery-environment" port="4712"/>
        <socket-binding name="txn-status-manager" port="4713"/>
        <outbound-socket-binding name="mail-smtp">
            <remote-destination host="localhost" port="25"/>
        </outbound-socket-binding>
    </socket-binding-group>
...
</server>

Basically, I am forcing the client certificate request for incoming requests on a specific, additional server port.