Enabling SSL with JBoss 5 and Spring Security Framework

To enable SSL on JBoss 5 following steps are required:

1. Generate the keystore with following command

keytool -genkey -alias tomcat -keyalg RSA -keystore NAME_OF_KEYSTORE -validity NUMBER_OF_DAYS

It will prompt the user to enter few more details. Please enter all.
At the end it will ask for the key password. It should be same as keystore password.
Press enter to skip. It will take the same password.

This will create a self-signed certificate, but the procedure would be more or less the same even if you are going to use a certificate from a Certification Authority

2. Copy the file into the jboss/server/<Server-Name>/conf/ directory
3. Edit jboss/server/<Server-Name>/deploy/jbossweb.sar/server.xml
[Assuming that HTTP will run in port 80 and HTTPS in 443]

a. Locate HTTP/1.1 Connector block

b. Replace Connector block with the following

<Connector protocol="HTTP/1.1" port="80" address="${jboss.bind.address}" connectionTimeout="20000" redirectPort="443" />

c. Locate SSL/TLS Connector configuration block and Un-comment the block.

d. Replace the Connector element with the following

<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/"

keystorePass="" sslProtocol = "TLS" />

4. Open jboss/server/<Server-Name>/conf/bootstrap/bindings.xml

• Replace all port which has values 8443 to 443
• Replace all port which has values 8080 to 80

5. Please contact IT support to configure firewall.
6. Edit the application’s acegi-security xml as follows:

a. Add channelProcessingFilter to filterChainProxy bean

<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/j_acegi_security_check*=httpSessionContextIntegrationFilter,
authenticationProcessingFilter,channelProcessingFilter
/**=httpSessionContextIntegrationFilter,rememberMeProcessingFilter,
logoutFilter,authenticationProcessingFilter,
securityContextHolderAwareRequestFilter,anonymousProcessingFilter,
exceptionTranslationFilter,filterInvocationInterceptor,channelProcessingFilter
</value>
</property>
</bean>


b. Configure the section that will be SSL enabled as SECURE CHANNEL

<bean id="channelProcessingFilter" class="org.acegisecurity.securechannel.ChannelProcessingFilter">
<property name="channelDecisionManager"><ref bean="channelDecisionManager"/></property>
<property name="filterInvocationDefinitionSource">
<value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/secure/**=REQUIRES_SECURE_CHANNEL
/**=REQUIRES_INSECURE_CHANNEL
</value>
</property>
</bean>

<bean id="secureChannelProcessor"  class="org.acegisecurity.securechannel.SecureChannelProcessor" />
<bean id="insecureChannelProcessor"  class="org.acegisecurity.securechannel.InsecureChannelProcessor" />


7. Edit web.xml as follows:

a. Add context-param for acegi-security

<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext*.xml</param-value>
</context-param>


b. Add the security filter for acegi-security

<filter>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<filter-class> org.acegisecurity.util.FilterToBeanProxy
</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value> org.acegisecurity.util.FilterChainProxy </param-value>
</init-param>
</filter>