Re: Client authentication for specific path
On 03/10/14 21:18, Cédric Couralet wrote: 2014-10-03 17:42 GMT+02:00 Nathan Quirynen nat...@pensionarchitects.be: On 02/10/14 19:00, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Nathan, On 10/1/14 12:16 PM, Nathan Quirynen wrote: On 01/10/14 18:08, Christopher Schultz wrote: Nathan, On 10/1/14 10:02 AM, Nathan Quirynen wrote: Hi Tomcat users, A current application has client authentication configured in the SSL Connector (server.xml): Connector port=8443 ... clientAuth=true keystoreFile=.keystore keystorePass=... truststoreFile=.truststore truststorePass=... / And the CA root certificates have been added to the truststore. This way it asks for a client certificate in any case, which works and is fine for this application. For a new application the use case is a bit different. I only need client authentication for a specific defined path (for example: /secured/*). After some research I found this was possible with defining this on application level in the web.xml file. So I changed my configuration to: server.xml: Connector port=8443 ... clientAuth=false keystoreFile=.keystore keystorePass=... truststoreFile=.truststore truststorePass=... / web.xml: security-constraint web-resource-collection web-resource-nameSecureconn/web-resource-name url-pattern/secured/*/url-pattern http-methodGET/http-method /web-resource-collection auth-constraint role-namesecureconn/role-name /auth-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method realm-nameSecureconn/realm-name /login-config security-role role-namesecureconn/role-name /security-role In this case it actually only asks for client authentication when going to for example secured/home page. But I'm getting a 401 message code. What am I missing to get people authenticated based on the CA root certificates that are in the configured truststore? Is it even possible what I am trying? What happens if you change clientAuth=false to clientAuth=want? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Hey Chris, If I change it to want I still get the same error: HTTP Status 401 - Cannot authenticate with the provided credentials So just to be sure, the only difference between the application you have that is working and the one that is not working is that you have a different url-pattern in your web.xml? Generally speaking, Tomcat will authenticate the client certificate just using the configuration at the Connector level. Using CLIENT-CERT in the application is used for application credentials -- such as establishing roles to be used with role-based permissions. Do you intend to use role-based permissions and all that other stuff, or do you just want to make sure that the client has a valid certificate? If you just want to make sure that the certificate is valid, then you want to use clientAuth=want and remove the configuration you have from web.xml. Next, you will need to write a Filter that grabs the X509 certificate from the request and does manual checking. You might be able to get some help from a series of posts I wrote a few years ago about manually-handling X509 certificates: http://markmail.org/message/kzxsamuiu6bldjmv Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJULYSZAAoJEBzwKT+lPKRYorwP/1GT+aPdAK5Vu2piCp+4ZDXQ kGm42DzD0FBM8oKI2vgPj/hvOTEYC+e7EndxxUbhaSoek0O71hlEeWfnhrCt3lNs xKHBhwXHeVwxOkSHsjZKfzHqoJgHhMBBVU5rQHQ1mwIT71bayNSYVuG/QRZFffoM lef1YTql+jt+LOgfJauD/yozYG2fblEMMEcUWfBtpruEFVns6Vu2m5vwKwn7si2K 13SjiqoULIOf6FkiKXiCewXACq98KLbjo21m5SkUNDgFiE6wWquOX/uyQBBP8n+p B2H6b6YlQAj1KOBtH+yd+0vnW6BwjI9ZxHDfT7t8Ii1zBwUDFj3QZOJ5RXFwteQR cFjJXxmRliD/EuEfjZuHD5U9d51Eq44RU6p3/8cuIg90gx8fPYBULJimXRX6v4ca EdTmqnJyxZeh2WoNAY2k+24OxwwxKSZUErxm0biBAy/wcqT1O1ePkaCI6YQx1Vkj TnHxleVWvr2FpZDp1apmTcgzP0gBnD6fOG8ltf8Nqe/Ax4l6nhdK3Q19YLTt2Q2z IKX7oUOYru0GNuICtsNYz0EprzdMxnv28v3SBYLSfHln9J5WWtfBeOlKxMPmP0Fg ZJG/X/zUUC2IxDNe6u7ZdZr/vqxDLyZxc74ugiVIxveutzrXOHdxnPRIzbEXjYIC umadSoe7yZwlcEAAQFG/ =bMuo -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Yes that's what I want. But when I set clientAuth to want it asks for the client certificate on every path, which I don't want... I only want client authentication on the specified path. I'm wondering if I can solve what I need with Tomcat alone. Maybe I should put Apache in front? One way you could do it would be to : - set clientAuth=false in your connector - add the security-constraint as you did except for the security-role :
Re: Client authentication for specific path
On 02/10/14 19:00, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Nathan, On 10/1/14 12:16 PM, Nathan Quirynen wrote: On 01/10/14 18:08, Christopher Schultz wrote: Nathan, On 10/1/14 10:02 AM, Nathan Quirynen wrote: Hi Tomcat users, A current application has client authentication configured in the SSL Connector (server.xml): Connector port=8443 ... clientAuth=true keystoreFile=.keystore keystorePass=... truststoreFile=.truststore truststorePass=... / And the CA root certificates have been added to the truststore. This way it asks for a client certificate in any case, which works and is fine for this application. For a new application the use case is a bit different. I only need client authentication for a specific defined path (for example: /secured/*). After some research I found this was possible with defining this on application level in the web.xml file. So I changed my configuration to: server.xml: Connector port=8443 ... clientAuth=false keystoreFile=.keystore keystorePass=... truststoreFile=.truststore truststorePass=... / web.xml: security-constraint web-resource-collection web-resource-nameSecureconn/web-resource-name url-pattern/secured/*/url-pattern http-methodGET/http-method /web-resource-collection auth-constraint role-namesecureconn/role-name /auth-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method realm-nameSecureconn/realm-name /login-config security-role role-namesecureconn/role-name /security-role In this case it actually only asks for client authentication when going to for example secured/home page. But I'm getting a 401 message code. What am I missing to get people authenticated based on the CA root certificates that are in the configured truststore? Is it even possible what I am trying? What happens if you change clientAuth=false to clientAuth=want? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Hey Chris, If I change it to want I still get the same error: HTTP Status 401 - Cannot authenticate with the provided credentials So just to be sure, the only difference between the application you have that is working and the one that is not working is that you have a different url-pattern in your web.xml? Generally speaking, Tomcat will authenticate the client certificate just using the configuration at the Connector level. Using CLIENT-CERT in the application is used for application credentials -- such as establishing roles to be used with role-based permissions. Do you intend to use role-based permissions and all that other stuff, or do you just want to make sure that the client has a valid certificate? If you just want to make sure that the certificate is valid, then you want to use clientAuth=want and remove the configuration you have from web.xml. Next, you will need to write a Filter that grabs the X509 certificate from the request and does manual checking. You might be able to get some help from a series of posts I wrote a few years ago about manually-handling X509 certificates: http://markmail.org/message/kzxsamuiu6bldjmv Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJULYSZAAoJEBzwKT+lPKRYorwP/1GT+aPdAK5Vu2piCp+4ZDXQ kGm42DzD0FBM8oKI2vgPj/hvOTEYC+e7EndxxUbhaSoek0O71hlEeWfnhrCt3lNs xKHBhwXHeVwxOkSHsjZKfzHqoJgHhMBBVU5rQHQ1mwIT71bayNSYVuG/QRZFffoM lef1YTql+jt+LOgfJauD/yozYG2fblEMMEcUWfBtpruEFVns6Vu2m5vwKwn7si2K 13SjiqoULIOf6FkiKXiCewXACq98KLbjo21m5SkUNDgFiE6wWquOX/uyQBBP8n+p B2H6b6YlQAj1KOBtH+yd+0vnW6BwjI9ZxHDfT7t8Ii1zBwUDFj3QZOJ5RXFwteQR cFjJXxmRliD/EuEfjZuHD5U9d51Eq44RU6p3/8cuIg90gx8fPYBULJimXRX6v4ca EdTmqnJyxZeh2WoNAY2k+24OxwwxKSZUErxm0biBAy/wcqT1O1ePkaCI6YQx1Vkj TnHxleVWvr2FpZDp1apmTcgzP0gBnD6fOG8ltf8Nqe/Ax4l6nhdK3Q19YLTt2Q2z IKX7oUOYru0GNuICtsNYz0EprzdMxnv28v3SBYLSfHln9J5WWtfBeOlKxMPmP0Fg ZJG/X/zUUC2IxDNe6u7ZdZr/vqxDLyZxc74ugiVIxveutzrXOHdxnPRIzbEXjYIC umadSoe7yZwlcEAAQFG/ =bMuo -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Yes that's what I want. But when I set clientAuth to want it asks for the client certificate on every path, which I don't want... I only want client authentication on the specified path. I'm wondering if I can solve what I need with Tomcat alone. Maybe I should put Apache in front? Nathan -- Een klare kijk op aanvullende pensioenen *Nathan Quirynen* 03 340 04 60 | 0494 28 45 15 nat...@pensionarchitects.be mailto:nat...@pensionarchitects.be Follow us on Web http://www.pensionarchitects.be | Twitter http://www.twitter.com/pen_arch | LinkedIn
Re: Client authentication for specific path
2014-10-03 17:42 GMT+02:00 Nathan Quirynen nat...@pensionarchitects.be: On 02/10/14 19:00, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Nathan, On 10/1/14 12:16 PM, Nathan Quirynen wrote: On 01/10/14 18:08, Christopher Schultz wrote: Nathan, On 10/1/14 10:02 AM, Nathan Quirynen wrote: Hi Tomcat users, A current application has client authentication configured in the SSL Connector (server.xml): Connector port=8443 ... clientAuth=true keystoreFile=.keystore keystorePass=... truststoreFile=.truststore truststorePass=... / And the CA root certificates have been added to the truststore. This way it asks for a client certificate in any case, which works and is fine for this application. For a new application the use case is a bit different. I only need client authentication for a specific defined path (for example: /secured/*). After some research I found this was possible with defining this on application level in the web.xml file. So I changed my configuration to: server.xml: Connector port=8443 ... clientAuth=false keystoreFile=.keystore keystorePass=... truststoreFile=.truststore truststorePass=... / web.xml: security-constraint web-resource-collection web-resource-nameSecureconn/web-resource-name url-pattern/secured/*/url-pattern http-methodGET/http-method /web-resource-collection auth-constraint role-namesecureconn/role-name /auth-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method realm-nameSecureconn/realm-name /login-config security-role role-namesecureconn/role-name /security-role In this case it actually only asks for client authentication when going to for example secured/home page. But I'm getting a 401 message code. What am I missing to get people authenticated based on the CA root certificates that are in the configured truststore? Is it even possible what I am trying? What happens if you change clientAuth=false to clientAuth=want? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Hey Chris, If I change it to want I still get the same error: HTTP Status 401 - Cannot authenticate with the provided credentials So just to be sure, the only difference between the application you have that is working and the one that is not working is that you have a different url-pattern in your web.xml? Generally speaking, Tomcat will authenticate the client certificate just using the configuration at the Connector level. Using CLIENT-CERT in the application is used for application credentials -- such as establishing roles to be used with role-based permissions. Do you intend to use role-based permissions and all that other stuff, or do you just want to make sure that the client has a valid certificate? If you just want to make sure that the certificate is valid, then you want to use clientAuth=want and remove the configuration you have from web.xml. Next, you will need to write a Filter that grabs the X509 certificate from the request and does manual checking. You might be able to get some help from a series of posts I wrote a few years ago about manually-handling X509 certificates: http://markmail.org/message/kzxsamuiu6bldjmv Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJULYSZAAoJEBzwKT+lPKRYorwP/1GT+aPdAK5Vu2piCp+4ZDXQ kGm42DzD0FBM8oKI2vgPj/hvOTEYC+e7EndxxUbhaSoek0O71hlEeWfnhrCt3lNs xKHBhwXHeVwxOkSHsjZKfzHqoJgHhMBBVU5rQHQ1mwIT71bayNSYVuG/QRZFffoM lef1YTql+jt+LOgfJauD/yozYG2fblEMMEcUWfBtpruEFVns6Vu2m5vwKwn7si2K 13SjiqoULIOf6FkiKXiCewXACq98KLbjo21m5SkUNDgFiE6wWquOX/uyQBBP8n+p B2H6b6YlQAj1KOBtH+yd+0vnW6BwjI9ZxHDfT7t8Ii1zBwUDFj3QZOJ5RXFwteQR cFjJXxmRliD/EuEfjZuHD5U9d51Eq44RU6p3/8cuIg90gx8fPYBULJimXRX6v4ca EdTmqnJyxZeh2WoNAY2k+24OxwwxKSZUErxm0biBAy/wcqT1O1ePkaCI6YQx1Vkj TnHxleVWvr2FpZDp1apmTcgzP0gBnD6fOG8ltf8Nqe/Ax4l6nhdK3Q19YLTt2Q2z IKX7oUOYru0GNuICtsNYz0EprzdMxnv28v3SBYLSfHln9J5WWtfBeOlKxMPmP0Fg ZJG/X/zUUC2IxDNe6u7ZdZr/vqxDLyZxc74ugiVIxveutzrXOHdxnPRIzbEXjYIC umadSoe7yZwlcEAAQFG/ =bMuo -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Yes that's what I want. But when I set clientAuth to want it asks for the client certificate on every path, which I don't want... I only want client authentication on the specified path. I'm wondering if I can solve what I need with Tomcat alone. Maybe I should put Apache in front? One way you could do it would be to : - set clientAuth=false in your connector - add the security-constraint as you did except for the security-role : security-role
Re: Client authentication for specific path
On 01/10/14 18:50, Cédric Couralet wrote: 2014-10-01 18:16 GMT+02:00 Nathan Quirynen nat...@pensionarchitects.be: On 01/10/14 18:08, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Nathan, On 10/1/14 10:02 AM, Nathan Quirynen wrote: Hi Tomcat users, A current application has client authentication configured in the SSL Connector (server.xml): Connector port=8443 ... clientAuth=true keystoreFile=.keystore keystorePass=... truststoreFile=.truststore truststorePass=... / And the CA root certificates have been added to the truststore. This way it asks for a client certificate in any case, which works and is fine for this application. For a new application the use case is a bit different. I only need client authentication for a specific defined path (for example: /secured/*). After some research I found this was possible with defining this on application level in the web.xml file. So I changed my configuration to: server.xml: Connector port=8443 ... clientAuth=false keystoreFile=.keystore keystorePass=... truststoreFile=.truststore truststorePass=... / web.xml: security-constraint web-resource-collection web-resource-nameSecureconn/web-resource-name url-pattern/secured/*/url-pattern http-methodGET/http-method /web-resource-collection auth-constraint role-namesecureconn/role-name /auth-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method realm-nameSecureconn/realm-name /login-config security-role role-namesecureconn/role-name /security-role In this case it actually only asks for client authentication when going to for example secured/home page. But I'm getting a 401 message code. What am I missing to get people authenticated based on the CA root certificates that are in the configured truststore? Is it even possible what I am trying? What happens if you change clientAuth=false to clientAuth=want? Hey Chris, If I change it to want I still get the same error: HTTP Status 401 - Cannot authenticate with the provided credentials This is because when you use the CLIENT-CERT auth-method, Tomcat add the SSLAuthenticator to the context (your app) which validate the cert on the realm. By default, that realm is the UserDatabaseRealm which stores credentials in tomcat-users.xml. So several choices for you, add all the certificates DN in that file with the right roles, or change the realm for something more suited to your need. Aside, you can also define which certificate attribute will be resolved to search for the principal, in X509UsernameRetrieverClassName (http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html) Cédric - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org With add all the certificates DN in that file with the right roles you mean all the client certificates? Because that's not an option (there's millions of client certificates). I'm still not sure how I'm supposed to configure a realm to my needs. When I search for tutorials all I get is people using tomcat-users.xml and adding 1 client certificate... Nathan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Client authentication for specific path
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Nathan, On 10/1/14 12:16 PM, Nathan Quirynen wrote: On 01/10/14 18:08, Christopher Schultz wrote: Nathan, On 10/1/14 10:02 AM, Nathan Quirynen wrote: Hi Tomcat users, A current application has client authentication configured in the SSL Connector (server.xml): Connector port=8443 ... clientAuth=true keystoreFile=.keystore keystorePass=... truststoreFile=.truststore truststorePass=... / And the CA root certificates have been added to the truststore. This way it asks for a client certificate in any case, which works and is fine for this application. For a new application the use case is a bit different. I only need client authentication for a specific defined path (for example: /secured/*). After some research I found this was possible with defining this on application level in the web.xml file. So I changed my configuration to: server.xml: Connector port=8443 ... clientAuth=false keystoreFile=.keystore keystorePass=... truststoreFile=.truststore truststorePass=... / web.xml: security-constraint web-resource-collection web-resource-nameSecureconn/web-resource-name url-pattern/secured/*/url-pattern http-methodGET/http-method /web-resource-collection auth-constraint role-namesecureconn/role-name /auth-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method realm-nameSecureconn/realm-name /login-config security-role role-namesecureconn/role-name /security-role In this case it actually only asks for client authentication when going to for example secured/home page. But I'm getting a 401 message code. What am I missing to get people authenticated based on the CA root certificates that are in the configured truststore? Is it even possible what I am trying? What happens if you change clientAuth=false to clientAuth=want? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Hey Chris, If I change it to want I still get the same error: HTTP Status 401 - Cannot authenticate with the provided credentials So just to be sure, the only difference between the application you have that is working and the one that is not working is that you have a different url-pattern in your web.xml? Generally speaking, Tomcat will authenticate the client certificate just using the configuration at the Connector level. Using CLIENT-CERT in the application is used for application credentials -- such as establishing roles to be used with role-based permissions. Do you intend to use role-based permissions and all that other stuff, or do you just want to make sure that the client has a valid certificate? If you just want to make sure that the certificate is valid, then you want to use clientAuth=want and remove the configuration you have from web.xml. Next, you will need to write a Filter that grabs the X509 certificate from the request and does manual checking. You might be able to get some help from a series of posts I wrote a few years ago about manually-handling X509 certificates: http://markmail.org/message/kzxsamuiu6bldjmv Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJULYSZAAoJEBzwKT+lPKRYorwP/1GT+aPdAK5Vu2piCp+4ZDXQ kGm42DzD0FBM8oKI2vgPj/hvOTEYC+e7EndxxUbhaSoek0O71hlEeWfnhrCt3lNs xKHBhwXHeVwxOkSHsjZKfzHqoJgHhMBBVU5rQHQ1mwIT71bayNSYVuG/QRZFffoM lef1YTql+jt+LOgfJauD/yozYG2fblEMMEcUWfBtpruEFVns6Vu2m5vwKwn7si2K 13SjiqoULIOf6FkiKXiCewXACq98KLbjo21m5SkUNDgFiE6wWquOX/uyQBBP8n+p B2H6b6YlQAj1KOBtH+yd+0vnW6BwjI9ZxHDfT7t8Ii1zBwUDFj3QZOJ5RXFwteQR cFjJXxmRliD/EuEfjZuHD5U9d51Eq44RU6p3/8cuIg90gx8fPYBULJimXRX6v4ca EdTmqnJyxZeh2WoNAY2k+24OxwwxKSZUErxm0biBAy/wcqT1O1ePkaCI6YQx1Vkj TnHxleVWvr2FpZDp1apmTcgzP0gBnD6fOG8ltf8Nqe/Ax4l6nhdK3Q19YLTt2Q2z IKX7oUOYru0GNuICtsNYz0EprzdMxnv28v3SBYLSfHln9J5WWtfBeOlKxMPmP0Fg ZJG/X/zUUC2IxDNe6u7ZdZr/vqxDLyZxc74ugiVIxveutzrXOHdxnPRIzbEXjYIC umadSoe7yZwlcEAAQFG/ =bMuo -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Client authentication for specific path
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Nathan, On 10/1/14 10:02 AM, Nathan Quirynen wrote: Hi Tomcat users, A current application has client authentication configured in the SSL Connector (server.xml): Connector port=8443 ... clientAuth=true keystoreFile=.keystore keystorePass=... truststoreFile=.truststore truststorePass=... / And the CA root certificates have been added to the truststore. This way it asks for a client certificate in any case, which works and is fine for this application. For a new application the use case is a bit different. I only need client authentication for a specific defined path (for example: /secured/*). After some research I found this was possible with defining this on application level in the web.xml file. So I changed my configuration to: server.xml: Connector port=8443 ... clientAuth=false keystoreFile=.keystore keystorePass=... truststoreFile=.truststore truststorePass=... / web.xml: security-constraint web-resource-collection web-resource-nameSecureconn/web-resource-name url-pattern/secured/*/url-pattern http-methodGET/http-method /web-resource-collection auth-constraint role-namesecureconn/role-name /auth-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method realm-nameSecureconn/realm-name /login-config security-role role-namesecureconn/role-name /security-role In this case it actually only asks for client authentication when going to for example secured/home page. But I'm getting a 401 message code. What am I missing to get people authenticated based on the CA root certificates that are in the configured truststore? Is it even possible what I am trying? What happens if you change clientAuth=false to clientAuth=want? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJULCbgAAoJEBzwKT+lPKRYOBEQAKiq+0JvnpI4nAXDb7L0YzHR BjISQH6yWa8sURbDfxUMdNdOdbYDc0J3RLvakz4IKFQjKIoRnR6gC6OdTS27sfrt iMvi/NDb3wqGkl/aPfQa98zgvasKTzsj01yWLATwxfH66Sb3w1NKTnxs7BiQim2m f5EfxdPS5h7FZekhSQyh4KXTejJ6XYRRgmTKeP2V9ARlJBjpyeVkM/C1pUfgEhD+ wvsSsBplF4g+Loo4saN4Ap1UcxGsjEnkW8lPpgo9Ax0J/jT3nmieK2ZryG6coDY9 6OhYxBz5CLcwrYPMQvlTb9rVMMzNt2g8bbSY0lI1HQGfJaOROIfASkpOqXM1p//c XXPj8OEFrpJMn1L8IN/GX7HJruCxyLU0oo3qFZNNjQp15zzK5eAJgtONJON+ke9G Lv17PbyHEW5NecnFDwvg4sJPy4RHzBLWgwmvYmqMknySjtEj58SB9M4U9Xyrlwoe XsaG9r1OaOlNb249+hRBCzbTZcsn3IP/dgKsWXmsbfvfdOuRsuGbPHXG9AXe7T9S J+GD23SPTPHFHzEdqEYQ0RxPhQomzt4jfvbrmvKxxVLe+oi2JqHMwpoNSOxHBBD9 GDzX9PZimKv3Sh1bs8QzDCWAYLURxyrirjqcqyVqUEi0QYI+7rXk+TldR/bKNJ5H /6BMe3EQMH3NySBGeClG =eSSR -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Client authentication for specific path
On 01/10/14 18:08, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Nathan, On 10/1/14 10:02 AM, Nathan Quirynen wrote: Hi Tomcat users, A current application has client authentication configured in the SSL Connector (server.xml): Connector port=8443 ... clientAuth=true keystoreFile=.keystore keystorePass=... truststoreFile=.truststore truststorePass=... / And the CA root certificates have been added to the truststore. This way it asks for a client certificate in any case, which works and is fine for this application. For a new application the use case is a bit different. I only need client authentication for a specific defined path (for example: /secured/*). After some research I found this was possible with defining this on application level in the web.xml file. So I changed my configuration to: server.xml: Connector port=8443 ... clientAuth=false keystoreFile=.keystore keystorePass=... truststoreFile=.truststore truststorePass=... / web.xml: security-constraint web-resource-collection web-resource-nameSecureconn/web-resource-name url-pattern/secured/*/url-pattern http-methodGET/http-method /web-resource-collection auth-constraint role-namesecureconn/role-name /auth-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method realm-nameSecureconn/realm-name /login-config security-role role-namesecureconn/role-name /security-role In this case it actually only asks for client authentication when going to for example secured/home page. But I'm getting a 401 message code. What am I missing to get people authenticated based on the CA root certificates that are in the configured truststore? Is it even possible what I am trying? What happens if you change clientAuth=false to clientAuth=want? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJULCbgAAoJEBzwKT+lPKRYOBEQAKiq+0JvnpI4nAXDb7L0YzHR BjISQH6yWa8sURbDfxUMdNdOdbYDc0J3RLvakz4IKFQjKIoRnR6gC6OdTS27sfrt iMvi/NDb3wqGkl/aPfQa98zgvasKTzsj01yWLATwxfH66Sb3w1NKTnxs7BiQim2m f5EfxdPS5h7FZekhSQyh4KXTejJ6XYRRgmTKeP2V9ARlJBjpyeVkM/C1pUfgEhD+ wvsSsBplF4g+Loo4saN4Ap1UcxGsjEnkW8lPpgo9Ax0J/jT3nmieK2ZryG6coDY9 6OhYxBz5CLcwrYPMQvlTb9rVMMzNt2g8bbSY0lI1HQGfJaOROIfASkpOqXM1p//c XXPj8OEFrpJMn1L8IN/GX7HJruCxyLU0oo3qFZNNjQp15zzK5eAJgtONJON+ke9G Lv17PbyHEW5NecnFDwvg4sJPy4RHzBLWgwmvYmqMknySjtEj58SB9M4U9Xyrlwoe XsaG9r1OaOlNb249+hRBCzbTZcsn3IP/dgKsWXmsbfvfdOuRsuGbPHXG9AXe7T9S J+GD23SPTPHFHzEdqEYQ0RxPhQomzt4jfvbrmvKxxVLe+oi2JqHMwpoNSOxHBBD9 GDzX9PZimKv3Sh1bs8QzDCWAYLURxyrirjqcqyVqUEi0QYI+7rXk+TldR/bKNJ5H /6BMe3EQMH3NySBGeClG =eSSR -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Hey Chris, If I change it to want I still get the same error: HTTP Status 401 - Cannot authenticate with the provided credentials
Re: Client authentication for specific path
2014-10-01 18:16 GMT+02:00 Nathan Quirynen nat...@pensionarchitects.be: On 01/10/14 18:08, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Nathan, On 10/1/14 10:02 AM, Nathan Quirynen wrote: Hi Tomcat users, A current application has client authentication configured in the SSL Connector (server.xml): Connector port=8443 ... clientAuth=true keystoreFile=.keystore keystorePass=... truststoreFile=.truststore truststorePass=... / And the CA root certificates have been added to the truststore. This way it asks for a client certificate in any case, which works and is fine for this application. For a new application the use case is a bit different. I only need client authentication for a specific defined path (for example: /secured/*). After some research I found this was possible with defining this on application level in the web.xml file. So I changed my configuration to: server.xml: Connector port=8443 ... clientAuth=false keystoreFile=.keystore keystorePass=... truststoreFile=.truststore truststorePass=... / web.xml: security-constraint web-resource-collection web-resource-nameSecureconn/web-resource-name url-pattern/secured/*/url-pattern http-methodGET/http-method /web-resource-collection auth-constraint role-namesecureconn/role-name /auth-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method realm-nameSecureconn/realm-name /login-config security-role role-namesecureconn/role-name /security-role In this case it actually only asks for client authentication when going to for example secured/home page. But I'm getting a 401 message code. What am I missing to get people authenticated based on the CA root certificates that are in the configured truststore? Is it even possible what I am trying? What happens if you change clientAuth=false to clientAuth=want? Hey Chris, If I change it to want I still get the same error: HTTP Status 401 - Cannot authenticate with the provided credentials This is because when you use the CLIENT-CERT auth-method, Tomcat add the SSLAuthenticator to the context (your app) which validate the cert on the realm. By default, that realm is the UserDatabaseRealm which stores credentials in tomcat-users.xml. So several choices for you, add all the certificates DN in that file with the right roles, or change the realm for something more suited to your need. Aside, you can also define which certificate attribute will be resolved to search for the principal, in X509UsernameRetrieverClassName (http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html) Cédric - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org