Thanks, that's an interesting approach and one I'd considered. What
wasn't clear to me was whether you could use Tomcat's roles to control
access to particular web services.
For example, suppose I wanted to expose one operation to all users:
QueryData queryDatabase(searchKey);
But I only wanted to expose another operation to other users:
void deleteData(searchKey)
Can I use Tomcat to differentiate between these operations without
deploying multiple copies of the web app? Can I assume that every
service I publish will have a distinct URL that I can use for access
control?
Thanks again...
--
Jim Wong ([EMAIL PROTECTED])
-----Original Message-----
From: Hubble, Christopher [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 14, 2004 9:44 AM
To: '[EMAIL PROTECTED]'
Subject: RE: SSL Client Auth with Tomcat and Axis
You should probably use Tomcat's roles and do user security that way.
Have client auth to ensure it's a trusted machine, and then the roles to
determine the user info.
Chris
-----Original Message-----
From: Jim Wong [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 14, 2004 12:45 PM
To: [EMAIL PROTECTED]
Subject: RE: SSL Client Auth with Tomcat and Axis
Thanks for the response. We're primarily interested in extracting the
subject name from the certificate, so that we can use it to authorize
some users to use specific resources and other users to use other
resources.
Is this doable, or is there a better way?
--
Jim Wong ([EMAIL PROTECTED])
-----Original Message-----
From: Hubble, Christopher [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 14, 2004 6:17 AM
To: '[EMAIL PROTECTED]'
Subject: RE: SSL Client Auth with Tomcat and Axis
What kind of information do you want to get from the cert?
Chris
-----Original Message-----
From: Jim Wong [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 13, 2004 7:52 PM
To: [EMAIL PROTECTED]
Subject: SSL Client Auth with Tomcat and Axis
On a somewhat related note, I'm just getting started on trying to build
an application using Axis, Tomcat and SSL. I would like to use client
authentication, but I haven't been able to find documentation that
explains how (assuming it's possible) one could access information from
the client's certificate from within a web service or handler.
Am I missing something blindingly obvious? As I mentioned, I'm new to
this, so it's distinctly possible...
--
Jim Wong ([EMAIL PROTECTED])
-----Original Message-----
From: Hubble, Christopher [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 12, 2004 5:58 AM
To: '[EMAIL PROTECTED]'
Subject: RE: 2 way SSL with Axis and Tomcat as a Service
I pretty much used this guide (and the new chapter it links to) to do
it.
http://www.pankaj-k.net/WSOverSSL/WSOverSSL-HOWTO.html
Pretty much everything you need to know is in the SSL section of the new
chapter. It starts on page 16 of the pdf. You gen your keystores and
truststores, making sure to place them on the appropriate machines.
Then change server.xml. I didn't use JCEKS and all of my stuff works.
The hard part was installing Tomcat as a service with the truststore
attribute set.
For some reason, Tomcat doesn't let you set it in server.xml. Then you
just modify your client to use https and include the keystore and
truststore.
Other than a typo, the CL version worked perfectly. I had to just play
around with tomcat.exe to get it installed as a service, tho.
Chris
-----Original Message-----
From: Silvano Maffeis [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 12, 2004 2:30 AM
To: [EMAIL PROTECTED]
Subject: Re: 2 way SSL with Axis and Tomcat as a Service
Hubble, Christopher wrote:
>Welp, after much trial and tribulation, I finally got axis using 2 way
ssl.
>This required me to custom set up tomcat as a service, and I finally
>got that working. Once I get my code all cleaned up, I'll post the
>relavent details.
>
>Chris
>
>
That would be much appreciated, thanks :-)
Silvano
This e-mail and any attachments may contain confidential and privileged
information. If you are not the intended recipient, please notify the
sender immediately by return e-mail, do not forward this email to any
other person, delete this e-mail and destroy all copies. Any
dissemination or use of this information by a person other than the
intended recipient is unauthorized and may be illegal.
This e-mail and any attachments may contain confidential and privileged
information. If you are not the intended recipient, please notify the
sender immediately by return e-mail, do not forward this email to any
other person, delete this e-mail and destroy all copies. Any
dissemination or use of this information by a person other than the
intended recipient is unauthorized and may be illegal.
This e-mail and any attachments may contain confidential and
privileged information. If you are not the intended recipient,
please notify the sender immediately by return e-mail, do not forward
this email to any other person, delete this
e-mail and destroy all copies. Any dissemination or use of this
information by a person other than the intended recipient is
unauthorized and may be illegal.
