We Keep Coding

JBoss 1-way and 2-way SSL symultaneously

I have a JBoss application with multiple endpoints. All these endpoints should be available to any user over one way SSL (HTTPS), except for a specific endpoint (let's call it /app/sensitive) which should only be accessed by a specific machine (ie. 2-way SSL).
Is there a way to configure JBoss for 1/2-way SSL at the same time, differentiated by what endpoint has been requested?

I'm not sure, because did not test it, but it seems like you can have
one-way SSL on one port and two-way SSL on another port.
from standalone.xml (or domain.xml):
<subsystem xmlns="urn:jboss:domain:web:2.2" default-virtual-server="default-host" native="false">
...
<connector name="one-way-https" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" socket-binding="one-way-https" enable-lookups="false" secure="true">
</connector>
<connector name="two-way-https" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" socket-binding="two-way-https" enable-lookups="false" secure="true">
<ssl name="two-way-ssl" key-alias="my-identity" password="${VAULT::Jboss_config::store_password::1}" certificate-key-file="../standalone/configuration/cert/JBoss_Identity.jks"/>
</connector>
...
</subsystem>
<socket-binding-group name="standard-sockets" ...>
...
<socket-binding name="one-way-https" port="8443"/>
<socket-binding name="two-way-https" port="8453"/>
...
</socket-binding-group>
If you will test it, please let me know is it solution or not, because in near future I have to do the same, just do not have a time right now to check it... Thanks.
BTW in <ssl> element you can define other than default Trust store and Key Store to use on that port.
I hope it will work.

What can I use alternative to AJP connector?

My Application is having apache-jboss connection using AJP connector.
This is code snippets of JBoss standalone-full.xml
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
But I am facing one issue with it. I can see there are many AJP threads are in RUNNABLE state in thread dumps which is consuming memory and it is increasing in number.
"ajp-0.0.0.0-0.0.0.0-38000-179" daemon prio=3 tid=0x02a6ac00 nid=0x44e runnable [0x903ff000]
java.lang.Thread.State: RUNNABLE
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:152)
at java.net.SocketInputStream.read(SocketInputStream.java:122)
at org.apache.coyote.ajp.AjpProcessor.read(AjpProcessor.java:1131)
at org.apache.coyote.ajp.AjpProcessor.readMessage(AjpProcessor.java:1213)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:451)
at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:445)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
at java.lang.Thread.run(Thread.java:744)
Can you please suggest what is the reason behind it?
Additional information
Apache - apache-2.2.29
Jboss - jboss-as-7.1.1.Final
If I will look for other connector then what are other protocol that I can use?

How to configure external vendor SSL certs into JBoss 7.1

I am converting from Websphere 8.x to JBoss 7.1 but I am having trouble getting SSL certificates into JBoss 7.1. We utilize external vendor web services via SSL.
In Websphere I would do this:
Add Vendor to the local WAS trust store:
Use the Retrieve from port option in the administrative console to retrieve the certificate and resolve the problem.
Complete the following steps:
Log into the administrative console.
Expand Security and click SSL certificate and key management.
Under Configuration settings, click Manage endpoint security configurations.
Select the appropriate outbound configuration to get to the (cell):E4GT82WNode03Cell:(node):E4GT82WNode03 management scope.
Under Related Items, click Key stores and certificates and click the NodeDefaultTrustStore key store.
Under Additional Properties, click Signer certificates and Retrieve From Port.
In the Host field, enter services.vendor.com in the host name field, enter 443 in the Port field, and services.vendor.com_cert in the Alias field.
Click Retrieve Signer Information.
Verify that the certificate information is for a certificate that you can trust.
Click Apply and Save.
But in JBoss it doesn't look like there is this kind of capability. I have been playing with openssl, keytool for creating, adding certs to a keystore and tried making changes to the standalone.xml file. I've tried so many different things that have been suggested on different search results I've tried and spent countless hours trying to figure this out.
I'm getting this error:
13:08:50,801 ERROR [org.jboss.as.controller.management-operation]
Operation ("add") failed - address: ([
("subsystem" => "web"),
("connector" => "https"),
("ssl" => "configuration") ]) - failure description: "JBAS014803: Duplicate resource [
(\"subsystem\" => \"web\"),
(\"connector\" => \"https\"),
(\"ssl\" => \"configuration\") ]"
Throws error:
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl key-alias="jbosscerts" password="secret" certificate-key-file="D:\opt\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" certificate-file="C:/jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" cipher-suite="ALL" protocol="TLSv1"/>
<ssl key-alias="vendor1.com_cert" password="secret" certificate-key-file="C:\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" certificate-file="C:\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" cipher-suite="ALL" protocol="TLSv1"/>
<ssl key-alias="vendor2.com_cert" password="secret" certificate-key-file="D:\opt\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" certificate-file="C:\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" cipher-suite="ALL" protocol="TLSv1"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
Doesn't throw error:
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl key-alias="jbosscerts" password="secret" certificate-key-file="D:\opt\jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" certificate-file="C:/jboss-as-7.1.1.Final\keystore\jbosscertstore.keystore" cipher-suite="ALL" protocol="TLSv1"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
My question is this:
How can I configure multiple SSL certs in JBoss like Websphere does?

You will need to add system-properties for this. So basically add the following piece of code to your standalone.xml just after <extensions>....</extensions> tag:
<system-properties>
<property name="javax.net.ssl.trustStore" value="<location of cert>"/>
</system-properties>
<location of cert> is the location of the Java keystore file containing the collection of CA certificates trusted by this application process (trust store). Note that on Windows, the specified pathname must use forward slashes, /, in place of \.

Configuring SSL on JBoss 7

I am trying to add SSL support for my JBoss 7 installation. I followed the directions for the pure java solution on: JBoss AS 7.1 SSL Setup Guide
Here is my standalone.xml subsystem configuration
<subsystem xmlns="urn:jboss:domain:web:1.1" native="false" default-virtual-server="default-host">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="443" />
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
<connector name="https" scheme="https" protocol="HTTP/1.1" socket-binding="https" enable-lookups="false" secure="true">
<ssl name="ps-ssl" password="mypw" protocol="TLSv1" key-alias="ps" certificate-key-file="../standalone/configuration/ps.keystore" />
</connector>
</subsystem>
When I start up the application, I get the firefox problem loading page message. I have configured web.xml to require https for the entire app. The application works fine when I remove the constraint, so I guess I missed something in setting up ssl. Does anybody see anything that I missed?

Get current user on GateIn 3.3/Jboss AS 7 from AJAX

I wanna get current user from AJAX query. For this obvious I have to use the code:
String user = request.getRemoteUser();
but I have null value for authenticated portal user.
I googled it a much and found this article: https://community.jboss.org/wiki/GWTGadgetAccessingPortalServices/version/2
where the author describes how to resolve this issue. But the article contains information about enabling SSO for jboss6.x, here it is:
Uncomment the single sign on authenticator valve: for
JBoss located in server/default/deploy/jbossweb.sar/server.xml
Official GateIn documentations also describes SSO for JBoss 6.x and older.
How I can do the same in JBoss AS 7?

I've enabled SSO by adding <sso reauthenticate="false"/> to the subsystem configuration:
<subsystem xmlns="urn:jboss:domain:web:1.1" native="false" default-virtual-server="default-host">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
<sso reauthenticate="false"/>
</virtual-server>
</subsystem>
Getting current user is working for me now.