Re: Certificate Authentication for individual apps
Dear All My developer give me a .war file which I place it as jboss/server/default/deploy/test.war Thus I have around 5 .war placed in the server. All the apps are presently accessed using https://myorg.com:8080/test1/, https://myorg.com:8080/test2/ ... and so on. Next I want to implement client auth for certain apps. How do i go about it.?? Regards Thanks Mahesh S Kudva -Original Message- From: Bill Barker [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Date: Fri, 1 Jul 2005 21:56:37 -0700 Subject: Re: Certificate Authentication for individual apps Mahesh S Kudva [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi All Thanks for the note. May be I was not clear in my earlier mail. I have client authentication using certificates. I want to skip client auth for certain hosted applications on the server but preserve client auth for other apps. On the Connector leave the 'clientAuth' attribute as 'false' (or use 'want', if you really want to be annoying :). Then in the webapps that care setup your web.xml files with something like: login-config auth-methodCLIENT-CERT/auth-method /login-config In this case, any page protected by a security-constraint will force the user to send a client-cert. Unfortunately, most of the production-quality Realms that ship with Tomcat don't support CLIENT-CERT auth. For 4.1.x = tcversion = 5.0.x, there is also a request attribute that you can use to do the same thing. If you need it, search the archives. Regards Thanks Mahesh S Kudva -Original Message- From: Paul Singleton [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Date: Fri, 01 Jul 2005 15:32:12 +0100 Subject: Re: Certificate Authentication for individual apps Mahesh S Kudva wrote: How can I have different certificate authentication for different applications and skip certificate authentication for some applications hosted on the same server. I believe that, at least under SSL, certificates authenticate *servers* not applications, and that the Connector offers a certificate before it checks, or regardless of, the context path within that server. So you need to deploy each app at a different (virtual) host, each with a different IP address. We do this currently with 5.5.9. You can use the default keystore for all hosts, and use the (undocumented) keyAlias=myalias Connector attribute to offer the appropriate certificate for each host, e.g. Connector address=288.104.197.211 port=8443 scheme=https secure=true sslProtocol=TLS keyAlias=mrk2 / (in 5.5.9 you also need sslProtocol=TLS explicitly) Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.8.8/35 - Release Date: 30/Jun/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Certificate Authentication for individual apps
Hi All How can I have different certificate authentication for different applications and skip certificate authentication for some applications hosted on the same server. Regards Thanks Mahesh S Kudva --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Certificate Authentication for individual apps
Mahesh S Kudva wrote: How can I have different certificate authentication for different applications and skip certificate authentication for some applications hosted on the same server. I believe that, at least under SSL, certificates authenticate *servers* not applications, and that the Connector offers a certificate before it checks, or regardless of, the context path within that server. So you need to deploy each app at a different (virtual) host, each with a different IP address. We do this currently with 5.5.9. You can use the default keystore for all hosts, and use the (undocumented) keyAlias=myalias Connector attribute to offer the appropriate certificate for each host, e.g. Connector address=288.104.197.211 port=8443 scheme=https secure=true sslProtocol=TLS keyAlias=mrk2 / (in 5.5.9 you also need sslProtocol=TLS explicitly) Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.8.8/35 - Release Date: 30/Jun/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Certificate Authentication for individual apps
Hi All Thanks for the note. May be I was not clear in my earlier mail. I have client authentication using certificates. I want to skip client auth for certain hosted applications on the server but preserve client auth for other apps. Regards Thanks Mahesh S Kudva -Original Message- From: Paul Singleton [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Date: Fri, 01 Jul 2005 15:32:12 +0100 Subject: Re: Certificate Authentication for individual apps Mahesh S Kudva wrote: How can I have different certificate authentication for different applications and skip certificate authentication for some applications hosted on the same server. I believe that, at least under SSL, certificates authenticate *servers* not applications, and that the Connector offers a certificate before it checks, or regardless of, the context path within that server. So you need to deploy each app at a different (virtual) host, each with a different IP address. We do this currently with 5.5.9. You can use the default keystore for all hosts, and use the (undocumented) keyAlias=myalias Connector attribute to offer the appropriate certificate for each host, e.g. Connector address=288.104.197.211 port=8443 scheme=https secure=true sslProtocol=TLS keyAlias=mrk2 / (in 5.5.9 you also need sslProtocol=TLS explicitly) Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.8.8/35 - Release Date: 30/Jun/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Certificate Authentication for individual apps
Mahesh S Kudva [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi All Thanks for the note. May be I was not clear in my earlier mail. I have client authentication using certificates. I want to skip client auth for certain hosted applications on the server but preserve client auth for other apps. On the Connector leave the 'clientAuth' attribute as 'false' (or use 'want', if you really want to be annoying :). Then in the webapps that care setup your web.xml files with something like: login-config auth-methodCLIENT-CERT/auth-method /login-config In this case, any page protected by a security-constraint will force the user to send a client-cert. Unfortunately, most of the production-quality Realms that ship with Tomcat don't support CLIENT-CERT auth. For 4.1.x = tcversion = 5.0.x, there is also a request attribute that you can use to do the same thing. If you need it, search the archives. Regards Thanks Mahesh S Kudva -Original Message- From: Paul Singleton [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Date: Fri, 01 Jul 2005 15:32:12 +0100 Subject: Re: Certificate Authentication for individual apps Mahesh S Kudva wrote: How can I have different certificate authentication for different applications and skip certificate authentication for some applications hosted on the same server. I believe that, at least under SSL, certificates authenticate *servers* not applications, and that the Connector offers a certificate before it checks, or regardless of, the context path within that server. So you need to deploy each app at a different (virtual) host, each with a different IP address. We do this currently with 5.5.9. You can use the default keystore for all hosts, and use the (undocumented) keyAlias=myalias Connector attribute to offer the appropriate certificate for each host, e.g. Connector address=288.104.197.211 port=8443 scheme=https secure=true sslProtocol=TLS keyAlias=mrk2 / (in 5.5.9 you also need sslProtocol=TLS explicitly) Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.8.8/35 - Release Date: 30/Jun/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]