r http or
https. The way currently is implemented, is for the "Smartcard" for the servlet
to detect that the "Smartcard" has been pressed and to 302 to a specially
designated https connector that has
"clientAuth="true"+"trustManagerClassName=... AnyCert
Hi Mark,
Thank you for the settings. I am not sure what is the APR/native connector
version, I am using the default APR/native connector in 6.0.29 (I do not
set/change APR on my Windows machine).
I am not sure why the client certificate authentication failed when my
client certificate was signed
Hi
I am running Tomcat 6.0.29 with JDK 1.6.0_22 on Windows XP.
I changed server.xml as below.
?xml version=1.0 encoding=UTF-8?
Server port=8005 shutdown=SHUTDOWN
!--APR library loader. Documentation at /docs/apr.html --
Listener SSLEngine=on
On 12/11/2010 16:27, Goo Sam Kong wrote:
Hi
I am running Tomcat 6.0.29 with JDK 1.6.0_22 on Windows XP.
APR/native connector version? SSL re-negotiation wasn't supported until
recently and the CVE-2009-3555 fixes further complicate things.
Connector
/Client-cert-authentication-tp28287654p28364194.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h
-Original Message-
From: acastanheira2001
Sent: Monday, April 26, 2010 8:35
Subject: Re: Client cert authentication
Thanks again Mark,
I think it will be difficult to move to Tomcat 6 soon. If I
change mod_proxy to mod_jk, does mod_jk passes the client
cert to Tomcat 5.5
For additional commands, e-mail: users-h...@tomcat.apache.org
--
View this message in context:
http://old.nabble.com/Client-cert-authentication-tp28287654p28333274.html
Sent from the Tomcat - User mailing list archive at Nabble.com
On 22/04/2010 20:00, acastanheira2001 wrote:
Thanks Mark,
I use mod_proxy (ProxyPass and ProxyReverse) to connect Apache (2.2.3) to
Tomcat(5.5)/Jboss (4.2). Can mod_proxy pass client cert to Tomcat?
With 5.5.x, not with out some custom code. With 6.0.x, yes.
You'd need to port this to
a
keystore and https set?
Thanks,
André
--
View this message in context:
http://old.nabble.com/Client-cert-authentication-tp28287654p28287654.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To unsubscribe, e
On 19/04/2010 13:05, acastanheira2001 wrote:
Hi,
I have an apache server in front of Tomcat/Jboss, the former receives the
client cert and does revocation list and trust validation.
I need to pass the client cert to Tomcat only to check the SubjectAltNames.
As far as trust
: Tue, 23 Feb 2010 15:07:03 -0800
Subject: Re: Trouble with CLIENT-CERT authentication method
From: kevmacmi...@gmail.com
To: users@tomcat.apache.org
On 2/19/10, Christopher Schultz ch...@christopherschultz.net wrote:
So, with clientAuth=false, how do you get a client certificate to use
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kevin,
On 2/23/2010 6:07 PM, Kevin Mills wrote:
On 2/19/10, Christopher Schultz ch...@christopherschultz.net wrote:
So, with clientAuth=false, how do you get a client certificate to use
for authentication? Or, does the presence of the CLIENT-CERT
On 24/02/2010 15:03, Christopher Schultz wrote:
So, settingauth-method to CLIENT-CERT triggers an SSL renegotiation.
What if theConnector is set to clientAuth=want or
clientAuth=true? Will the initial SSL negotiation carry the client
certificate and therefore avoid CVE-2009-355?
Yes. But
On 2/19/10, Christopher Schultz ch...@christopherschultz.net wrote:
So, with clientAuth=false, how do you get a client certificate to use
for authentication? Or, does the presence of the CLIENT-CERT in web.xml
trigger an SSL-renegotiation where the client cert /is/ requested from
the client.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jason,
On 2/19/2010 1:48 AM, Jason Brittain wrote:
Nope. clientAuth=false means that the webapp's web.xml specifies which
resources require the client certificate.
Gotcha: I thought that false would cause the connector to ignore all
client cert
On 2/18/10, Christopher Schultz ch...@christopherschultz.net wrote:
Stupid question: don't you want clientAuth=true?
In this particular case, no. I don't want to force client certificate
authentication for all SSL connections coming to port 8443. Instead,
I am looking to do client
On 2/19/10, Christopher Schultz ch...@christopherschultz.net wrote:
On 2/19/2010 1:48 AM, Jason Brittain wrote:
Nope. clientAuth=false means that the webapp's web.xml specifies which
resources require the client certificate.
Gotcha: I thought that false would cause the connector to ignore
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kevin,
On 2/19/2010 2:18 PM, Kevin Mills wrote:
On 2/19/10, Christopher Schultz ch...@christopherschultz.net wrote:
On 2/19/2010 1:48 AM, Jason Brittain wrote:
Nope. clientAuth=false means that the webapp's web.xml specifies which
resources
On 2/17/10, Mark Thomas ma...@apache.org wrote:
CVE-2009-3555?
Now that this is working, I'd like to ask what other options exist for
using client certificate authentication on a per-webapp basis.
Requiring my customers to enable a feature
(allowUnsafeLegacyRenegotiation) that exposes them to a
On 18/02/2010 16:30, Kevin Mills wrote:
On 2/17/10, Mark Thomas ma...@apache.org wrote:
CVE-2009-3555?
Now that this is working, I'd like to ask what other options exist for
using client certificate authentication on a per-webapp basis.
Requiring my customers to enable a feature
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kevin,
On 2/17/2010 7:24 PM, Kevin Mills wrote:
Sure thing - here is my Connector element:
Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true
maxThreads=50 scheme=https secure=true
Christopher:
Nope. clientAuth=false means that the webapp's web.xml specifies which
resources require the client certificate. See the Connector doc page's
description of the accepted values for the clientAuth attribute:
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
clientAuth is a
, etc. but can never get the CLIENT-CERT authentication to work
for my webapp. As I mentioned above, all is fine if I set
clientAuth=true but I don't want to impose client certificate
authentication across the whole site.
Searching the archives, I ran across bug 46950
(https://issues.apache.org
On 17/02/2010 23:48, Kevin Mills wrote:
Can anyone tell me what's going on here?
CVE-2009-3555?
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
search for
allowUnsafeLegacyRenegotiation
Mark
-
To unsubscribe,
On 2/17/10, Mark Thomas ma...@apache.org wrote:
On 17/02/2010 23:48, Kevin Mills wrote:
Can anyone tell me what's going on here?
CVE-2009-3555?
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
search for
allowUnsafeLegacyRenegotiation
Thanks for your reply - I did see that option
On 18/02/2010 00:04, Kevin Mills wrote:
On 2/17/10, Mark Thomas ma...@apache.org wrote:
On 17/02/2010 23:48, Kevin Mills wrote:
Can anyone tell me what's going on here?
CVE-2009-3555?
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
search for
allowUnsafeLegacyRenegotiation
On 2/17/10, Mark Thomas ma...@apache.org wrote:
Then you probably haven't got your config quite right. There are plenty
of things to go wrong with this but this definitely works - I was using
it just the other day.
We'll need to see:
- connector element from server.xml
- web.xml
-
On 18/02/2010 00:24, Kevin Mills wrote:
snip/
servlet-mapping
servlet-nameMyServlet/servlet-name
url-pattern/myServlet/url-pattern
/servlet-mapping
snip/
security-constraint
web-resource-collection
On 2/17/10, Mark Thomas ma...@apache.org wrote:
snip/
:-) Doesn't work, meaning I don't get prompted for my certificate.
I see my servlet's output without any sort of authentication.
What URL are you requesting? Only index.jsp will prompt for a cert. Your
servlet will just require SSL to
On 18/02/2010 00:42, Kevin Mills wrote:
On 2/17/10, Mark Thomas ma...@apache.org wrote:
snip/
:-) Doesn't work, meaning I don't get prompted for my certificate.
I see my servlet's output without any sort of authentication.
What URL are you requesting? Only index.jsp will prompt for a cert.
On 2/17/10, Mark Thomas ma...@apache.org wrote:
The rules on how security constraints combine are in the Servlet spec.
It can take a bit of time to get your head around it.
To require a cert for your servlet too, one option would be:
security-constraint
Hi everybody,
I am trying to configure Apache Tomcat in https mode with two types of
resources:
1. Unprotected resources anryone can visit
2. Proteceted resources, where the client have to authenticate with a
certificate (issued by a known Certification Authohrity).
The problem is that till
Hi,
is there a way to configure the APR connector in a way
that it requests a client certificate only if the client accesses
a resource that is protected by a security constraint?
This works with a Java connector if I specify the option
clientAuth=false.
The client certificate is not requested
an _outline_ of what is needed to be done to get
CLIENT-CERT authentication and authorization working in Tomcat 6. This is
high level because each implementation will have to be done to suit your own
needs.
This first part deals with the JAAS related code that you have to create
I’m doing this to provide an _outline_ of what is needed to be done to get
CLIENT-CERT authentication and authorization working in Tomcat 6. This is high
level because each implementation will have to be done to suit your own needs.
This first part deals with the JAAS related code that you
Is there anyway to allow both client-cert authentication and form-based
authentication to work together in Tomcat? or J2EE web servers in
general?
I'd like to have users to log in to an web app using either user cert or
username/password. If a user doesn't have a cert, the login page will
show
authentication
Is there anyway to allow both client-cert authentication and form-based
authentication to work together in Tomcat? or J2EE web servers in
general?
I'd like to have users to log in to an web app using either user cert or
username/password. If a user doesn't have a cert, the login page
Hi All,
I tried to config my webapp to authenticate user by CLIENT-CERT auth method.
my 1st test is using UserDatabaseRealm and add the client cert DN to
tomcat-user.xml. everything works great. However, when I tried to use
JAASRealm, it fail even my custom LoginModule always return true for
any
Hi,
I have been thinking about replacing the legacy username/password system
used today in my web-applications to use autentication with personal
certificates via client-cert authentication. The problem is that I need to
run multiple instances of the same web-application with different users
39 matches
Mail list logo