Re: Client Cert
I have founded one way to do what I want I have used the JCAPI lib (www.phoex.com) in an applet So, now the user can choose the cert to send to server. It works on Windows keystore. On 2/17/06, David Tonhofer, m-plify S.A. [EMAIL PROTECTED] wrote: --On Friday, February 17, 2006 2:01 PM -0300 Luis Henrique [EMAIL PROTECTED] wrote: I dont care about the session security. I just want to associate the broser user with one in my database. For this a need to get his cert. You *can* set up HTTPS then drop to NULL encryption :-P To get the cert transparently you have to use the HTTPS protocol - there is no other wide-recognized protocol to get at the cert. Consider: You have to make sure that the cert you get is actually one that the user is allowed to present you (one that he didn't snatch off the neighbour's disk). This is done by checking whether the client also owns the private key associated to the public key in the cert, so some encryption traffic will have to take place. Best, -- David - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Client Cert
Is there anyway to request a client cert without https? Thanks for your help Luis - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Client Cert
I dont care about the session security. I just want to associate the broser user with one in my database. For this a need to get his cert. On 2/17/06, Duan, Nick [EMAIL PROTECTED] wrote: What do you want to accomplish? SSL is the only (I mean one that is established) way to ensure a secure session. ND -Original Message- From: Luis Henrique [mailto:[EMAIL PROTECTED] Sent: Friday, February 17, 2006 10:11 AM To: users@tomcat.apache.org Subject: Client Cert Is there anyway to request a client cert without https? Thanks for your help Luis - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and client certificates
Hi I have followed all the instructions on this discussion, and i´m still getting the error: HTTP Status 400 - No client certificate chain in this request Does the user cert that i´m using need to be trusted by cert of tomcat sever? I´m using Apache Tomcat/5.5.15, on Win Xp Pro SP2 I have generated the 2 certs like described on: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html The acess to https://localhost:8443 works fine But the access to the restricted area https://localhost:8443/teste return the error: HTTP Status 400 - No client certificate chain in this request If i use the BASIC auth, it works, but with CLIENT-CERT it did not Is there anything wrong with my configuration? This are my configuration: server.xml : ... Realm className=org.apache.catalina.realm.MemoryRealm / ... Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=want sslProtocol=TLS keystoreFile=c:\\certificados\\tomcat.keystore / Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=want protocol=TLS / tomcat-users.xml : tomcat-users ... role rolename=cert/ user username=CN=Luis Henrrique Spoladore Amaral, OU=UFSC, O=UFSC, L=Floripa, ST=SC, C=BR password=null roles=cert/ /tomcat-users web.xml: ?xml version=1.0 encoding=ISO-8859-1? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app display-nameBug 12218/display-name description Test web app for bug 12218. /description security-constraint web-resource-collection web-resource-nameApp/web-resource-name url-pattern/index.htm/url-pattern /web-resource-collection auth-constraint role-namecert/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config security-role role-namecert/role-name /security-role /web-app Thanks for your help Luis - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]