Re: Demand CLIENT-CERT only on certain pages but demand SSL in all pages
@Mark Thomas: I have been going through the documentation on https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html trying to come up with a set of security constraints that allow me to force SSL without asking for a client certificate except on a single login page, but there is nothing there suggesting a configuration where I can force SSL without asking for a client certificate: Once I set the CONFIDENTIAL transport guarantee and the CLIENT-CERT auth method I will be asked for a client cert when I land on a SSL page, no matter what. I think I am getting something wrong. Please, can you be more specific on the solution you suggest? 2015-10-06 16:52 GMT+02:00 Mark Thomas <ma...@apache.org>: > On 06/10/2015 15:46, George Stanchev wrote: > > Mark, > > > > What are the possible issues with renegotiation? We're on NIO > connectors, is there anything known? > > NIO should be fine. We've seen odd issues on OSX we haven't been able to > track down. > > Mark > > > > > George > > > > -Original Message- > > From: Mark Thomas [mailto:ma...@apache.org] > > Sent: Monday, October 05, 2015 8:32 AM > > To: Tomcat Users List > > Subject: Re: Demand CLIENT-CERT only on certain pages but demand SSL in > all pages > > > > On 05/10/2015 12:05, Gael Abadin wrote: > >> Hello, fellow users. > >> > >> I've been trying to configure tomcat to request client certificate > >> authentication on a single page, while serving every other SSL page > >> without requesting a client certificate (before or after > >> authentication). Depending on the configuration I use, one of 2 things > >> happen: either I get a request for a client certificate on ANY HTTPS > >> page I visit first, or I do not get a request at all, never, even when > >> I launch the browser and go straight to the protected page > (/my-app-name/public/login/login.xhtml). > >> > >> Am I doing something wrong or is this kind of configuration just not > >> possible? > > > > That should be possible but you'll need two security constraints. One to > require TLS everywhere and one for the pages where you require > authentication. > > > > You may also hit issues with which connectors support renegotiation > (don't use APR). > > > > Mark > > > >> > >> Here is my web.xml security constraint and login config (I've also > >> tried ommitin ): > >> > >> > >> > >> Protected Context > >> /public/login/* > >> > >> > >> CONFIDENTIAL > >> > >> > >> > >> CLIENT-CERT > >> > >> > >> > >> And here is my server.xml config (I've also tried clientAuth="false" > >> and > >> clientAuth="true"): > >> > >> >> shutdown="SHUTDOWN"> > >>>> className="org.apache.catalina.startup.VersionLoggerListener"/> > >> > >> > >>>> className="org.apache.catalina.core.AprLifecycleListener"/> > >> > >> > >> > >>>> className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/> > >>>> > className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/> > >>>> className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" > >> /> > >> > >> > >> >> factory="org.apache.catalina.users.MemoryUserDatabaseFactory" > >> name="UserDatabase" pathname="conf/tomcat-users.xml" > >> type="org.apache.catalina.UserDatabase"/> > >> > >> > >> > >> > >> >> redirectPort="443"/> > >> > >> >> port="443" protocol="org.apache.coyote.http11.Http11Protocol" > >> scheme="https" secure="true" sslProtocol="TLS"/> > >> > >> > >> > >> > >> > >> >> resourceName="UserDatabase"/> > >> > >>>> unpackWARs="true"> > >> >> directory="logs" pattern="%h %l %u %t %r %s %b" > >> prefix="localhost_access_log." suffix=".txt"/> > >> >> reloadable="true" source="org.eclipse.jst.jee.server:cividas-core-web&
Demand CLIENT-CERT only on certain pages but demand SSL in all pages
Hello, fellow users. I've been trying to configure tomcat to request client certificate authentication on a single page, while serving every other SSL page without requesting a client certificate (before or after authentication). Depending on the configuration I use, one of 2 things happen: either I get a request for a client certificate on ANY HTTPS page I visit first, or I do not get a request at all, never, even when I launch the browser and go straight to the protected page (/my-app-name/public/login/login.xhtml). Am I doing something wrong or is this kind of configuration just not possible? Here is my web.xml security constraint and login config (I've also tried ommitin ): Protected Context /public/login/* CONFIDENTIAL CLIENT-CERT And here is my server.xml config (I've also tried clientAuth="false" and clientAuth="true"): It is my first Tomcat SSL client cert set up so I must be missing something. Hope you may help me see it :-) Cheers, -- . Alberto Gael Abadin Martinez Junior Developer [image: IMATIA] www.imatia.com *Tel: *+34 986 342 774 ext 4531 *Email: *gael.aba...@imatia.com Edificio CITEXVI Fonte das Abelleiras, s/n - Local 27 36310 Vigo (Pontevedra) España . <http://www.linkedin.com/company/imatia-innovation> <http://www.youtube.com/imatiainnovation> . Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener información confidencial, siendo para uso exclusivo del destinatario. Queda prohibida su divulgación copia o distribución a terceros sin la autorización expresa del remitente. Si usted ha recibido este mensaje erróneamente, se ruega lo notifique al remitente y proceda a su borrado. Gracias por su colaboración. This message, and in the case of any file annexed to it, can have confidential information, and it is exclusively for the use of the addressee of the message. It is strictly forbidden to spread a copy or distribute to third parties, without the express order of the sender. If you have received this message mistakenly, we request you to notify to the sender, and please be sure to erase it. Thank you for your collaboration. .
SSL client cert selection dialog not showing up on cloned deployment of tomcat 7 for windows x64
A colleague was having trouble setting up client cert auth on this web app we are developing. He tried the latest tomcat 6 and 7 win32 installs using java 6 and 7 SDKs. He was able to bring up the app on HTTPS, launching it from eclipse, but even though the SSL connector had clientAuth="want" there was no client cert request when establishing the SSL connection. I had a similar problem before because of an expired self-signed server certificate so I sent him my .keystore file with the new cert that I am using and he replaced his with mine. Still a no go. Then I sent him my own tomcat and eclipse tomcat x64 deployment config and we switched his runtime to the same as mine (latest Java 8 x64). Same problem. At this point I don't know what else to try. His setup is exactly the same as mine, but I can't get the client auth to work on his. Any ideas? -- . Alberto Gael Abadin Martinez Junior Developer [image: IMATIA] www.imatia.com *Tel: *+34 986 342 774 ext 4531 *Email: *gael.aba...@imatia.com Edificio CITEXVI Fonte das Abelleiras, s/n - Local 27 36310 Vigo (Pontevedra) España . <http://www.linkedin.com/company/imatia-innovation> <http://www.youtube.com/imatiainnovation> . Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener información confidencial, siendo para uso exclusivo del destinatario. Queda prohibida su divulgación copia o distribución a terceros sin la autorización expresa del remitente. Si usted ha recibido este mensaje erróneamente, se ruega lo notifique al remitente y proceda a su borrado. Gracias por su colaboración. This message, and in the case of any file annexed to it, can have confidential information, and it is exclusively for the use of the addressee of the message. It is strictly forbidden to spread a copy or distribute to third parties, without the express order of the sender. If you have received this message mistakenly, we request you to notify to the sender, and please be sure to erase it. Thank you for your collaboration. .
Re: SSL client cert selection dialog not showing up on cloned deployment of tomcat 7 for windows x64
The server certificate is self signed. Appart from the typical warning we see no errors when we check it. His system (windows) clock is synchronized using microsoft's NTP server, same as mine. This is really weird because I have already delopoyed the same app and config in two other systems, appart from mine, without any issues, and his and mine are basically the same... 2016-01-11 16:51 GMT+01:00 David Balažic <david.bala...@comtrade.com>: > Wrong system clock? > > What does the client say? (about the server certificate. Is it valid? > Expired?) > > Regards, > David Balažic > Software Engineer > www.comtrade.com > > > -Original Message- > > From: Gael Abadin [mailto:gael.aba...@imatia.com] > > Sent: 11. January 2016 10:16 > > To: Tomcat Users List > > Subject: SSL client cert selection dialog not showing up on cloned > > deployment of tomcat 7 for windows x64 > > Importance: Low > > > > A colleague was having trouble setting up client cert auth on this web > app > > we are developing. He tried the latest tomcat 6 and 7 win32 installs > using > > java 6 and 7 SDKs. He was able to bring up the app on HTTPS, launching it > > from eclipse, but even though the SSL connector had clientAuth="want" > > there > > was no client cert request when establishing the SSL connection. > > > > I had a similar problem before because of an expired self-signed server > > certificate so I sent him my .keystore file with the new cert that I am > > using and he replaced his with mine. Still a no go. > > > > Then I sent him my own tomcat and eclipse tomcat x64 deployment config > > and > > we switched his runtime to the same as mine (latest Java 8 x64). Same > > problem. > > > > At this point I don't know what else to try. His setup is exactly the > same > > as mine, but I can't get the client auth to work on his. > > > > Any ideas? > > > > > > > > -- > > > > > > > > . > > > > Alberto Gael Abadin Martinez > > Junior Developer > > > > [image: IMATIA] > > > > www.imatia.com > > > > *Tel: *+34 986 342 774 ext 4531 > > > > *Email: *gael.aba...@imatia.com > > Edificio CITEXVI > > Fonte das Abelleiras, s/n - Local 27 > > 36310 Vigo (Pontevedra) > > España > > > > . > > <http://www.linkedin.com/company/imatia-innovation> > > <http://www.youtube.com/imatiainnovation> > > > > . > > > > Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede > > contener información confidencial, siendo para uso exclusivo del > > destinatario. Queda prohibida su divulgación copia o distribución a > > terceros sin la autorización expresa del remitente. Si usted ha recibido > > este mensaje erróneamente, se ruega lo notifique al remitente y proceda a > > su borrado. Gracias por su colaboración. > > This message, and in the case of any file annexed to it, can have > > confidential information, and it is exclusively for the use of the > > addressee of the message. It is strictly forbidden to spread a copy or > > distribute to third parties, without the express order of the sender. If > > you have received this message mistakenly, we request you to notify to > the > > sender, and please be sure to erase it. Thank you for your collaboration. > > > > . > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- . Alberto Gael Abadin Martinez Junior Developer [image: IMATIA] www.imatia.com *Tel: *+34 986 342 774 ext 4531 *Email: *gael.aba...@imatia.com Edificio CITEXVI Fonte das Abelleiras, s/n - Local 27 36310 Vigo (Pontevedra) España . <http://www.linkedin.com/company/imatia-innovation> <http://www.youtube.com/imatiainnovation> . Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener información confidencial, siendo para uso exclusivo del destinatario. Queda prohibida su divulgación copia o distribución a terceros sin la autorización expresa del remitente. Si usted ha recibido este mensaje erróneamente, se ruega lo notifique al remitente y proceda a su borrado. Gracias por su colaboración. This message, and in the case of any file annexed to it, can have confidential information, and it is exclusively for the use of the addressee of the message. It is strictly forbidden to spread a copy or distribute to third parties, without the express order of the sender. If you have received this message mistakenly, we request you to notify to the sender, and please be sure to erase it. Thank you for your collaboration. .
Re: SSL client cert selection dialog not showing up on cloned deployment of tomcat 7 for windows x64
Thanks for the reply :-) I've checked for all that! I even ended up copying my tomcat folder and my eclipse tomcat configuration folder from my computer to his, So they are literally the same configuration. I know the connector configuration is being read because if, for example, I remove the .keystore file I get an error. Or if I change the port the SSL connector starts listening on that port on deployment. Also, I made sure we are launching using the same JRE. I tried clientAuth="true" instead of "want". And accesing from my browser on my computer. Still no client certificate request. Log files don't show any errors. We even tried to reboot the system ^^'. Eclipse versions differ, but I don't see how that could result in tomcat not requesting SSL client certs... Anyway, since we couldn't find the cause I recommended him to use a fresh tomcat 7 install, download the last eclipse-JEE and java SDK, using a new workbench, and starting a new project redownloading the source files from the repo. It's a little overkill, but that should do it... 2016-01-19 1:59 GMT+01:00 Christopher Schultz <ch...@christopherschultz.net> : > Gael, > > On 1/11/16 11:46 AM, Gael Abadin wrote: > > The server certificate is self signed. Appart from the typical warning we > > see no errors when we check it. > > > > His system (windows) clock is synchronized using microsoft's NTP server, > > same as mine. > > > > This is really weird because I have already delopoyed the same app and > > config in two other systems, appart from mine, without any issues, and > his > > and mine are basically the same... > > Run "diff" on the two conf/server.xml files from the two servers? > Different conf/context.xml file? How about a > conf/[engine]/[host]/[app].xml file making a difference in one or the > other environment? > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- . Alberto Gael Abadin Martinez Junior Developer [image: IMATIA] www.imatia.com *Tel: *+34 986 342 774 ext 4531 *Email: *gael.aba...@imatia.com Edificio CITEXVI Fonte das Abelleiras, s/n - Local 27 36310 Vigo (Pontevedra) España . <http://www.linkedin.com/company/imatia-innovation> <http://www.youtube.com/imatiainnovation> . Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener información confidencial, siendo para uso exclusivo del destinatario. Queda prohibida su divulgación copia o distribución a terceros sin la autorización expresa del remitente. Si usted ha recibido este mensaje erróneamente, se ruega lo notifique al remitente y proceda a su borrado. Gracias por su colaboración. This message, and in the case of any file annexed to it, can have confidential information, and it is exclusively for the use of the addressee of the message. It is strictly forbidden to spread a copy or distribute to third parties, without the express order of the sender. If you have received this message mistakenly, we request you to notify to the sender, and please be sure to erase it. Thank you for your collaboration. .
client ssl renegotiation after invalidating session
I want to invalidate the client ssl cert authentication after the user logs out of my application. There is nothing about it in the docs and google just digs out this unanswered old thread from this users list in 2007: https://mail-archives.apache.org/mod_mbox/tomcat-users/200706.mbox/%3c306958.89260...@web36804.mail.mud.yahoo.com%3E Does anybody know if there is any way to do it? -- . Alberto Gael Abadin Martinez Junior Developer [image: IMATIA] www.imatia.com *Tel: *+34 986 342 774 ext 4531 *Email: *gael.aba...@imatia.com Edificio CITEXVI Fonte das Abelleiras, s/n - Local 27 36310 Vigo (Pontevedra) España . <http://www.linkedin.com/company/imatia-innovation> <http://www.youtube.com/imatiainnovation> . Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener información confidencial, siendo para uso exclusivo del destinatario. Queda prohibida su divulgación copia o distribución a terceros sin la autorización expresa del remitente. Si usted ha recibido este mensaje erróneamente, se ruega lo notifique al remitente y proceda a su borrado. Gracias por su colaboración. This message, and in the case of any file annexed to it, can have confidential information, and it is exclusively for the use of the addressee of the message. It is strictly forbidden to spread a copy or distribute to third parties, without the express order of the sender. If you have received this message mistakenly, we request you to notify to the sender, and please be sure to erase it. Thank you for your collaboration. .
Re: client ssl renegotiation after invalidating session
Thank you very much for your reply,
I tried your solution on APR, NIO and BIO connectors but it seems my
problem comes from somewhere else.
>From what I could gather, it is a matter of browser SSL credentials store
mechanism, and it doesn't seem to have a solution yet (even the suggested
window.crypto.logout() for Firefox doesn't work for me. Firefox doesn't
seem to implement that function on its latest version):
http://stackoverflow.com/questions/10487205/https-client-certificate-logout-relogin
:
http://stackoverflow.com/questions/10229027/how-to-trigger-ssl-rehandshake-on-a-web-browser
For the time being I'll just warn the users that they are not being truly
logged out until they close all browser windows.
2016-01-29 18:56 GMT+01:00 George Stanchev <gstanc...@serena.com>:
>
>
> -Original Message-
> From: Gael Abadin [mailto:gael.aba...@imatia.com]
> Sent: Friday, January 29, 2016 10:33 AM
> To: Tomcat Users List
> Subject: client ssl renegotiation after invalidating session
>
> I want to invalidate the client ssl cert authentication after the user
> logs out of my application.
>
> There is nothing about it in the docs and google just digs out this
> unanswered old thread from this users list in 2007:
>
>
> https://mail-archives.apache.org/mod_mbox/tomcat-users/200706.mbox/%3c306958.89260...@web36804.mail.mud.yahoo.com%3E
>
> Does anybody know if there is any way to do it?
>
>
> Depends what your version of Tomcat is. Since we skipped from 5.5 to 7.0 I
> don't know if 6 has this attribute. For 5.5 we used reflection to dig into
> the Request object and dig the SSLSessionManager which was kind of annoying
> since things shifted underground and we had to readjust for different
> releases of 5.5
>
>
>
> private static boolean
> invalidateTomcat7AndAboveSSLSession(HttpServletRequest httpRequest) {
> String serverInfo =
> FedSrvServlet.getServletContainerServerInfo();
>
> if (serverInfo == null) {
> log.error("Failed to determine server version");
> return false;
> }
>
> boolean compatibleTomcat =
> (serverInfo.indexOf("Tomcat") > 0 &&
> serverInfo.indexOf("7.0") > 0) ||
> (serverInfo.indexOf("Tomcat") > 0 &&
> serverInfo.indexOf("8.0") > 0) ||
> (serverInfo.indexOf("Tomcat") > 0 &&
> serverInfo.indexOf("9.0") > 0);
>
> if (compatibleTomcat) {
> // Invalidate the SSL Session
> (org.apache.tomcat.util.net.SSLSessionManager)
> Method invalidateSessionMethod = null;
> Object mgr =
> httpRequest.getAttribute("javax.servlet.request.ssl_session_mgr");
> if (mgr != null) {
> try {
> invalidateSessionMethod =
> mgr.getClass().getMethod("invalidateSession");
> if (invalidateSessionMethod ==
> null) {
> log.error("Failed to reset
> SSL session: Method invalidateSessionMethod =
> mgr.getClass().getMethod(\"invalidateSession\") failed to return method");
> }
>
> invalidateSessionMethod.setAccessible(true);
> } catch (Throwable t) {
> log.error("Failed to reset SSL
> session: " + t.getMessage(), t);
> }
>
> // Invalidate the session
> try {
>
> invalidateSessionMethod.invoke(mgr);
> log.trace("SSL session reset
> successfully");
> return true;
> } catch (Throwable t) {
> log.error("Failed to reset SSL
> session: invalidateSession() threw exception: " + t.getMessage(), t);
> }
> } else {
> log.error("Failed to reset SSL session:
> httpRequest.getAttribute(\"javax.servlet.request.ssl_session_mgr\") call
> failed to return session manager object");
> }
> }
>
> return false;
> }
>
> Hope this helps.
>
> George
>
--
.
Alberto Gael Abadin Mar
Re: SSL client cert selection dialog not showing up on cloned deployment of tomcat 7 for windows x64
None of us had. Now both of us have, and still the same result ¯\_(ツ)_/¯ The DNS response is all the same, because for development we are using internal lan ip access (or localhost), not domain-based. And self-signed certificates. I thought maybe it was some Java security configuration, but looking at it on the Windows Control Panel widget we also have the same Anyway, thanks for the tips! :-) 2016-01-19 16:49 GMT+01:00 Christopher Schultz <ch...@christopherschultz.net >: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Gael, > > On 1/19/16 6:37 AM, Gael Abadin wrote: > > Thanks for the reply :-) > > > > I've checked for all that! > > > > I even ended up copying my tomcat folder and my eclipse tomcat > > configuration folder from my computer to his, > > > > So they are literally the same configuration. > > > > I know the connector configuration is being read because if, for > > example, I remove the .keystore file I get an error. Or if I change > > the port the SSL connector starts listening on that port on > > deployment. > > > > Also, I made sure we are launching using the same JRE. > > > > I tried clientAuth="true" instead of "want". And accesing from my > > browser on my computer. Still no client certificate request. Log > > files don't show any errors. > > > > We even tried to reboot the system ^^'. > > > > Eclipse versions differ, but I don't see how that could result in > > tomcat not requesting SSL client certs... > > > > Anyway, since we couldn't find the cause I recommended him to use a > > fresh tomcat 7 install, download the last eclipse-JEE and java SDK, > > using a new workbench, and starting a new project redownloading the > > source files from the repo. It's a little overkill, but that should > > do it... > > Is it possible that one of you has added-on for instance the > "unlimited encryption" setting in the JRE and the other has not? > > I'm grasping at straws here because it seems like you've looked at all > the usual things that could have gone wrong. > > Bad DNS response? (!!?) > > - -chris > > > 2016-01-19 1:59 GMT+01:00 Christopher Schultz > > <ch...@christopherschultz.net> : > > > >> Gael, > >> > >> On 1/11/16 11:46 AM, Gael Abadin wrote: > >>> The server certificate is self signed. Appart from the typical > >>> warning we see no errors when we check it. > >>> > >>> His system (windows) clock is synchronized using microsoft's > >>> NTP server, same as mine. > >>> > >>> This is really weird because I have already delopoyed the same > >>> app and config in two other systems, appart from mine, without > >>> any issues, and > >> his > >>> and mine are basically the same... > >> > >> Run "diff" on the two conf/server.xml files from the two > >> servers? Different conf/context.xml file? How about a > >> conf/[engine]/[host]/[app].xml file making a difference in one or > >> the other environment? > >> > >> -chris > >> > >> - > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlaeWvEACgkQ9CaO5/Lv0PD+ZwCdEckChNr97VUhice9tPr5BnE9 > lp4AoILZ9L0uycFJx+hf4Tt7CMpDTPX7 > =2t5+ > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- . Alberto Gael Abadin Martinez Junior Developer [image: IMATIA] www.imatia.com *Tel: *+34 986 342 774 ext 4531 *Email: *gael.aba...@imatia.com Edificio CITEXVI Fonte das Abelleiras, s/n - Local 27 36310 Vigo (Pontevedra) España . <http://www.linkedin.com/company/imatia-innovation> <http://www.youtube.com/imatiainnovation> . Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener información confidencial, siendo para uso exclusivo del destinatario. Queda prohibida su divulgación copia o distribución a terceros sin la autorización expresa del remitente. Si usted ha recibido este mensaje erróneamente, se ruega lo notifique al remitente y proceda a su borrado. Gracias por su colaboración. This message, and in the case of any file annexed to it, can have confidential information, and it is exclusively for the use of the addressee of the message. It is strictly forbidden to spread a copy or distribute to third parties, without the express order of the sender. If you have received this message mistakenly, we request you to notify to the sender, and please be sure to erase it. Thank you for your collaboration. .
