Secure Authentication

Requirements

Login page should be provided only through a secure (SSL) http connection, i.e. https:// . This is a high priority requirement, must be satisfied before September 30th, 2008.

Login form must conform DSA directives https://www.dsa.unibo.it/uniboldap2/Docs
IntegrazioneWsDsa.pdf (sic!) or https://www.dsa.unibo.it/documentazione/IntegrazioneWsDsa/IntegrazioneWsDsaV1.pdf reported in the attachment to this file.

Resources

http://techtracer.com/2007/09/12/setting-up-ssl-on-tomcat-in-3-easy-steps/

Implementation

Securing Tomcat with SSL

a) Generating the Keystore file using (java keytool)

keytool -genkey -alias techtracer -keypass ... -keystore keystorefile -storepass ...

b) Changing the configuration file /Library/Tomcat6/conf/server.xml

<Connector port=443;
maxThreads="150"; enableLookups="true"
scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/keystorefile"
keystorePass="..." />

Changing the configuration file /Library/Tomcat6/webapps/xwiki/WEB-INF/web.xml

<security-constraint>
     <web-resource-collection>
   <web-resource-name>Login</web-resource-name>
   <url-pattern>/bin/login/*</url-pattern>
     </web-resource-collection>
     <user-data-constraint>
   <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
   </security-constraint>

   <security-constraint>
     <web-resource-collection>
   <web-resource-name>Login</web-resource-name>
   <url-pattern>/bin/loginsubmit/*</url-pattern>
     </web-resource-collection>
     <user-data-constraint>
   <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
   </security-constraint>