Re: [External] Re: Client Certificates
Robert,
On 7/20/23 15:43, Robert Egan wrote:
I suspect the problem is occurring before I can see the certificate,
because the only way the request even reaches my filter is when the
is set to auth="none".
I have been pulled away from this project for now, but thanks for the
answers.
If you want to /require/ a client certificate, then you need to set
certificateVerification="required". If you want it to be optional, then
set certificateVerification="optional". In either case, if the client
sends a certificate it should be available via that request attribute.
-chris
On Mon, Jul 17, 2023 at 3:45 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
Tim,
On 7/17/23 10:58, Timothy Ward wrote:
Here is a filter that I am using to get the client certificates, the
issue
I'm having is passing them along via the headers so they can be picked up
as CGI Environment Variables down the road. This does get me the
certificate information though. Just ignor the mutableRequest stuff as
that is what I was trying to use to put the information in the
RequestHeader, so there is another java file that does that.
Robert can also probably ignore the comment about "CGI Environment
Variables" because all that is handled by the Servlet Container (Tomcat)
by placing the certificate and chain under this request attribute key:
javax.servlet.request.X509Certificate
Robert, if you read the Servlet API (it's not awful! I promise!) you'll
see what other things get put in there when client-certs are in use.
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
//import MutableHttpServletRequest;
public class SecurityFilter implements javax.servlet.Filter
{
@Override public void destroy()
{
}
@Override public void doFilter(ServletRequest request, ServletResponse
response, FilterChain chain) throws IOException, ServletException
{
System.out.println("doFilter-Start.");
HttpServletRequest req = (HttpServletRequest) request;
//MutableHttpServletRequest mutableRequest = new
MutableHttpServletRequest(req);
X509Certificate[] certs = (X509Certificate[])
req.getAttribute("javax.servlet.request.X509Certificate");
System.out.println("doFilter-SSL_CLIENT_S_DN="+certs[0].getSubjectX500Principal().getName());
I would highly recommend some null-checking in here /just in case/ but
this is basically what you (Robert) are looking for.
System.out.println("doFilter-SSL_CERTIFICATES_FOUND="+Integer.toString(certs.length));
//mutableRequest.putHeader("SSL_CLIENT_S_DN",
certs[0].getSubjectX500Principal().getName());
//mutableRequest.putHeader("SSL_CERTIFICATES_FOUND",
Integer.toString(certs.length));
//chain.doFilter(mutableRequest, response);
System.out.println("doFilter-Done.");
}
@Override public void init(FilterConfig filterConfig) throws
ServletException
{
}
}
-chris
On Mon, Jul 17, 2023 at 10:38 AM Robert Egan
wrote:
I would like to write a filter that accesses a client certificate
attached
to the servlet request without using a proxy server. And after three
weeks
of searching, I'm beginning to feel like it is not possible. Because
every
article I've found assumes the request was forwarded from a proxy
server.
So my questions are: Is it even possible? If it is, can someone point
me in
the right direction? Also, if it is possible, but strongly discouraged
for
security reasons, let me know that as well. I am not adverse to using a
proxy server, especially if it is considered a "best practice".
Thanks in advance
Robert Egan
--
*VSolvit LLC*, *CMMI (Level 3), ISO 9001, ISO 2-1, ISO 27001*
*1305 Executive Blvd. Ste. 160 | Chesapeake | VA | 23320*
*(617) 455-1425*
www.vsolvit.com
*VSolvit (We*Solve*it) *is an award winning technology services company
that specializes in the areas of Geographic Information Systems and IT
application development / database integration.
*Cyber-security ~ Cloud Computing ~ GIS ~ Business Intelligence ~ Data
Warehousing.*
*CONFIDENTIALITY NOTICE:* This communication, including attachments, is
for
the exclusive use of addressee and may contain proprietary,
confidential or
privileged information. If you are not the intended recipient, any use,
copying, disclosure, dissemination or distribution is strictly
prohibited.
If you are not the intended recipient, please notify the sender
immediately
by return email and delete this communication and destroy all copies.
Re: [External] Re: Client Certificates
I suspect the problem is occurring before I can see the certificate,
because the only way the request even reaches my filter is when the
is set to auth="none".
I have been pulled away from this project for now, but thanks for the
answers.
Robert Egan
--
*VSolvit LLC*, *CMMI (Level 3), ISO 9001, ISO 2-1, ISO 27001*
*1305 Executive Blvd. Ste. 160 | Chesapeake | VA | 23320*
*(617) 455-1425*
www.vsolvit.com
*VSolvit (We*Solve*it) *is an award winning technology services company
that specializes in the areas of Geographic Information Systems and IT
application development / database integration.
*Cyber-security ~ Cloud Computing ~ GIS ~ Business Intelligence ~ Data
Warehousing.*
*CONFIDENTIALITY NOTICE:* This communication, including attachments, is for
the exclusive use of addressee and may contain proprietary, confidential or
privileged information. If you are not the intended recipient, any use,
copying, disclosure, dissemination or distribution is strictly prohibited.
If you are not the intended recipient, please notify the sender immediately
by return email and delete this communication and destroy all copies.
On Mon, Jul 17, 2023 at 3:45 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Tim,
>
> On 7/17/23 10:58, Timothy Ward wrote:
> > Here is a filter that I am using to get the client certificates, the
> issue
> > I'm having is passing them along via the headers so they can be picked up
> > as CGI Environment Variables down the road. This does get me the
> > certificate information though. Just ignor the mutableRequest stuff as
> > that is what I was trying to use to put the information in the
> > RequestHeader, so there is another java file that does that.
>
> Robert can also probably ignore the comment about "CGI Environment
> Variables" because all that is handled by the Servlet Container (Tomcat)
> by placing the certificate and chain under this request attribute key:
>
> javax.servlet.request.X509Certificate
>
> Robert, if you read the Servlet API (it's not awful! I promise!) you'll
> see what other things get put in there when client-certs are in use.
>
> > import java.io.IOException;
> >
> > import javax.servlet.FilterChain;
> > import javax.servlet.FilterConfig;
> > import javax.servlet.ServletException;
> > import javax.servlet.ServletRequest;
> > import javax.servlet.ServletResponse;
> > import javax.servlet.http.HttpServletRequest;
> > import javax.servlet.http.HttpServletResponse;
> >
> > import java.security.cert.Certificate;
> > import java.security.cert.X509Certificate;
> >
> > //import MutableHttpServletRequest;
> >
> > public class SecurityFilter implements javax.servlet.Filter
> > {
> > @Override public void destroy()
> > {
> > }
> >
> > @Override public void doFilter(ServletRequest request, ServletResponse
> > response, FilterChain chain) throws IOException, ServletException
> >{
> > System.out.println("doFilter-Start.");
> > HttpServletRequest req = (HttpServletRequest) request;
> > //MutableHttpServletRequest mutableRequest = new
> > MutableHttpServletRequest(req);
> >
> > X509Certificate[] certs = (X509Certificate[])
> > req.getAttribute("javax.servlet.request.X509Certificate");
> >
> >
> >
>
> System.out.println("doFilter-SSL_CLIENT_S_DN="+certs[0].getSubjectX500Principal().getName());
>
> I would highly recommend some null-checking in here /just in case/ but
> this is basically what you (Robert) are looking for.
>
> >
>
> System.out.println("doFilter-SSL_CERTIFICATES_FOUND="+Integer.toString(certs.length));
> > //mutableRequest.putHeader("SSL_CLIENT_S_DN",
> > certs[0].getSubjectX500Principal().getName());
> > //mutableRequest.putHeader("SSL_CERTIFICATES_FOUND",
> > Integer.toString(certs.length));
> > //chain.doFilter(mutableRequest, response);
> > System.out.println("doFilter-Done.");
> >}
> >
> > @Override public void init(FilterConfig filterConfig) throws
> > ServletException
> >{
> >}
> > }
>
> -chris
>
> > On Mon, Jul 17, 2023 at 10:38 AM Robert Egan
> > wrote:
> >
> >> I would like to write a filter that accesses a client certificate
> attached
> >> to the servlet request without using a proxy server. And after three
> weeks
> >> of searching, I'm beginning to feel like it is not possible. Because
> every
> >> article I've found assumes the request was forwarded from a proxy
> server.
> >>
> >> So my ques
Re: Client Certificates
Tim,
On 7/17/23 10:58, Timothy Ward wrote:
Here is a filter that I am using to get the client certificates, the issue
I'm having is passing them along via the headers so they can be picked up
as CGI Environment Variables down the road. This does get me the
certificate information though. Just ignor the mutableRequest stuff as
that is what I was trying to use to put the information in the
RequestHeader, so there is another java file that does that.
Robert can also probably ignore the comment about "CGI Environment
Variables" because all that is handled by the Servlet Container (Tomcat)
by placing the certificate and chain under this request attribute key:
javax.servlet.request.X509Certificate
Robert, if you read the Servlet API (it's not awful! I promise!) you'll
see what other things get put in there when client-certs are in use.
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
//import MutableHttpServletRequest;
public class SecurityFilter implements javax.servlet.Filter
{
@Override public void destroy()
{
}
@Override public void doFilter(ServletRequest request, ServletResponse
response, FilterChain chain) throws IOException, ServletException
{
System.out.println("doFilter-Start.");
HttpServletRequest req = (HttpServletRequest) request;
//MutableHttpServletRequest mutableRequest = new
MutableHttpServletRequest(req);
X509Certificate[] certs = (X509Certificate[])
req.getAttribute("javax.servlet.request.X509Certificate");
System.out.println("doFilter-SSL_CLIENT_S_DN="+certs[0].getSubjectX500Principal().getName());
I would highly recommend some null-checking in here /just in case/ but
this is basically what you (Robert) are looking for.
System.out.println("doFilter-SSL_CERTIFICATES_FOUND="+Integer.toString(certs.length));
//mutableRequest.putHeader("SSL_CLIENT_S_DN",
certs[0].getSubjectX500Principal().getName());
//mutableRequest.putHeader("SSL_CERTIFICATES_FOUND",
Integer.toString(certs.length));
//chain.doFilter(mutableRequest, response);
System.out.println("doFilter-Done.");
}
@Override public void init(FilterConfig filterConfig) throws
ServletException
{
}
}
-chris
On Mon, Jul 17, 2023 at 10:38 AM Robert Egan
wrote:
I would like to write a filter that accesses a client certificate attached
to the servlet request without using a proxy server. And after three weeks
of searching, I'm beginning to feel like it is not possible. Because every
article I've found assumes the request was forwarded from a proxy server.
So my questions are: Is it even possible? If it is, can someone point me in
the right direction? Also, if it is possible, but strongly discouraged for
security reasons, let me know that as well. I am not adverse to using a
proxy server, especially if it is considered a "best practice".
Thanks in advance
Robert Egan
--
*VSolvit LLC*, *CMMI (Level 3), ISO 9001, ISO 2-1, ISO 27001*
*1305 Executive Blvd. Ste. 160 | Chesapeake | VA | 23320*
*(617) 455-1425*
www.vsolvit.com
*VSolvit (We*Solve*it) *is an award winning technology services company
that specializes in the areas of Geographic Information Systems and IT
application development / database integration.
*Cyber-security ~ Cloud Computing ~ GIS ~ Business Intelligence ~ Data
Warehousing.*
*CONFIDENTIALITY NOTICE:* This communication, including attachments, is for
the exclusive use of addressee and may contain proprietary, confidential or
privileged information. If you are not the intended recipient, any use,
copying, disclosure, dissemination or distribution is strictly prohibited.
If you are not the intended recipient, please notify the sender immediately
by return email and delete this communication and destroy all copies.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Client Certificates
Here is a filter that I am using to get the client certificates, the issue
I'm having is passing them along via the headers so they can be picked up
as CGI Environment Variables down the road. This does get me the
certificate information though. Just ignor the mutableRequest stuff as
that is what I was trying to use to put the information in the
RequestHeader, so there is another java file that does that.
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
//import MutableHttpServletRequest;
public class SecurityFilter implements javax.servlet.Filter
{
@Override public void destroy()
{
}
@Override public void doFilter(ServletRequest request, ServletResponse
response, FilterChain chain) throws IOException, ServletException
{
System.out.println("doFilter-Start.");
HttpServletRequest req = (HttpServletRequest) request;
//MutableHttpServletRequest mutableRequest = new
MutableHttpServletRequest(req);
X509Certificate[] certs = (X509Certificate[])
req.getAttribute("javax.servlet.request.X509Certificate");
System.out.println("doFilter-SSL_CLIENT_S_DN="+certs[0].getSubjectX500Principal().getName());
System.out.println("doFilter-SSL_CERTIFICATES_FOUND="+Integer.toString(certs.length));
//mutableRequest.putHeader("SSL_CLIENT_S_DN",
certs[0].getSubjectX500Principal().getName());
//mutableRequest.putHeader("SSL_CERTIFICATES_FOUND",
Integer.toString(certs.length));
//chain.doFilter(mutableRequest, response);
System.out.println("doFilter-Done.");
}
@Override public void init(FilterConfig filterConfig) throws
ServletException
{
}
}
On Mon, Jul 17, 2023 at 10:38 AM Robert Egan
wrote:
> I would like to write a filter that accesses a client certificate attached
> to the servlet request without using a proxy server. And after three weeks
> of searching, I'm beginning to feel like it is not possible. Because every
> article I've found assumes the request was forwarded from a proxy server.
>
> So my questions are: Is it even possible? If it is, can someone point me in
> the right direction? Also, if it is possible, but strongly discouraged for
> security reasons, let me know that as well. I am not adverse to using a
> proxy server, especially if it is considered a "best practice".
>
> Thanks in advance
> Robert Egan
> --
> *VSolvit LLC*, *CMMI (Level 3), ISO 9001, ISO 2-1, ISO 27001*
> *1305 Executive Blvd. Ste. 160 | Chesapeake | VA | 23320*
> *(617) 455-1425*
> www.vsolvit.com
>
> *VSolvit (We*Solve*it) *is an award winning technology services company
> that specializes in the areas of Geographic Information Systems and IT
> application development / database integration.
>
> *Cyber-security ~ Cloud Computing ~ GIS ~ Business Intelligence ~ Data
> Warehousing.*
>
> *CONFIDENTIALITY NOTICE:* This communication, including attachments, is for
> the exclusive use of addressee and may contain proprietary, confidential or
> privileged information. If you are not the intended recipient, any use,
> copying, disclosure, dissemination or distribution is strictly prohibited.
> If you are not the intended recipient, please notify the sender immediately
> by return email and delete this communication and destroy all copies.
>
Client Certificates
I would like to write a filter that accesses a client certificate attached to the servlet request without using a proxy server. And after three weeks of searching, I'm beginning to feel like it is not possible. Because every article I've found assumes the request was forwarded from a proxy server. So my questions are: Is it even possible? If it is, can someone point me in the right direction? Also, if it is possible, but strongly discouraged for security reasons, let me know that as well. I am not adverse to using a proxy server, especially if it is considered a "best practice". Thanks in advance Robert Egan -- *VSolvit LLC*, *CMMI (Level 3), ISO 9001, ISO 2-1, ISO 27001* *1305 Executive Blvd. Ste. 160 | Chesapeake | VA | 23320* *(617) 455-1425* www.vsolvit.com *VSolvit (We*Solve*it) *is an award winning technology services company that specializes in the areas of Geographic Information Systems and IT application development / database integration. *Cyber-security ~ Cloud Computing ~ GIS ~ Business Intelligence ~ Data Warehousing.* *CONFIDENTIALITY NOTICE:* This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return email and delete this communication and destroy all copies.
Client certificates not authenticated by realm
Hello,
I am trying to set up client-certificate authentication for Tomcat
7.0.57. I have read the basics in the docs and I have my configuration
working up to a point.
My problem is that Tomcat accepts the client's connection, but returns
HTTP status 401 for pages the user is supposed to be authorized to access.
I am confident the certificates and key store etc. are set up properly
because the TLS connection works with a trusted client certificate and
not with an untrusted one. :-)
Some relevant snippets from the configuration files:
web.xml from my web app divides the web resources into several
collections, one of which requires no authentication at all and others
require the user to belong to a particular role. For example:
security-constraint
web-resource-collection
web-resource-namePublic Interface/web-resource-name
url-pattern/index.html/url-pattern
... etc ...
/web-resource-collection
user-data-constraint
transport-guaranteeCONFIDENTIAL/transport-guarantee
/user-data-constraint
/security-constraint
security-constraint
web-resource-collection
web-resource-nameAdministrator Only/web-resource-name
url-pattern/admin.html/url-pattern
... etc ...
/web-resource-collection
auth-constraint
role-nameadministrator/role-name
/auth-constraint
user-data-constraint
transport-guaranteeCONFIDENTIAL/transport-guarantee
/user-data-constraint
/security-constraint
The Connector is set up in server.xml as:
Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true
clientAuth=true
maxThreads=150 scheme=https secure=true
keystoreFile=${catalina.home}/conf/testServer.jks
keystorePass=changeit
truststoreFile=${catalina.home}/conf/truststore.jks
truststorePass=changeit
sslProtocol=TLSv1.2 /
And finally, my Realm is a UserDatabaseRealm:
Realm className=org.apache.catalina.realm.UserDatabaseRealm
resourceName=UserDatabase digest=sha/
tomcat-users.xml looks something like this:
tomcat-users
role rolename=user / !-- System administrators --
role rolename=administrator / !-- System administrators --
user username=testClient_1 password=redacted*** roles=user /
user username=testClient_2 password=redacted***
roles=administrator /
/tomcat-users
Again, the symptom I am seeing is that a browser with the testClient_2
certificate installed can connect to the web app and access index.html,
but gets an HTTP 401 error trying to access admin.html.
Does anyone have suggestions what I might be overlooking or how I could
isolate the cause?
Thanks,
--
Andrew Gronosky
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Client certificates not authenticated by realm
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Andrew,
On 12/1/14 2:33 PM, Andrew Gronosky wrote:
Hello,
I am trying to set up client-certificate authentication for Tomcat
7.0.57. I have read the basics in the docs and I have my
configuration working up to a point.
My problem is that Tomcat accepts the client's connection, but
returns HTTP status 401 for pages the user is supposed to be
authorized to access.
I am confident the certificates and key store etc. are set up
properly because the TLS connection works with a trusted client
certificate and not with an untrusted one. :-)
Some relevant snippets from the configuration files:
web.xml from my web app divides the web resources into several
collections, one of which requires no authentication at all and
others require the user to belong to a particular role. For
example:
security-constraint web-resource-collection
web-resource-namePublic Interface/web-resource-name
url-pattern/index.html/url-pattern ... etc ...
/web-resource-collection user-data-constraint
transport-guaranteeCONFIDENTIAL/transport-guarantee
/user-data-constraint /security-constraint
security-constraint web-resource-collection
web-resource-nameAdministrator Only/web-resource-name
url-pattern/admin.html/url-pattern ... etc ...
/web-resource-collection auth-constraint
role-nameadministrator/role-name /auth-constraint
user-data-constraint
transport-guaranteeCONFIDENTIAL/transport-guarantee
/user-data-constraint /security-constraint
The Connector is set up in server.xml as:
Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true
clientAuth=true maxThreads=150 scheme=https secure=true
keystoreFile=${catalina.home}/conf/testServer.jks
keystorePass=changeit
truststoreFile=${catalina.home}/conf/truststore.jks
truststorePass=changeit sslProtocol=TLSv1.2 /
And finally, my Realm is a UserDatabaseRealm: Realm
className=org.apache.catalina.realm.UserDatabaseRealm
resourceName=UserDatabase digest=sha/
tomcat-users.xml looks something like this:
tomcat-users role rolename=user / !-- System administrators
-- role rolename=administrator / !-- System administrators
-- user username=testClient_1 password=redacted***
roles=user / user username=testClient_2
password=redacted*** roles=administrator /
/tomcat-users
Again, the symptom I am seeing is that a browser with the
testClient_2 certificate installed can connect to the web app and
access index.html, but gets an HTTP 401 error trying to access
admin.html.
Does anyone have suggestions what I might be overlooking or how I
could isolate the cause?
What do the CNs look like for your client certs?
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUfMwkAAoJEBzwKT+lPKRYVjMP/28BYJZV9d5yWDfwIE5yxFAQ
RvNGsIH+cbS7Oq0XKLkAImQiiNxWl02kWGEgK4WgmWcXHfMQS+MC4GjGplEUmMts
cpBjCp0gad0yQ95pG62Xna1EoeVpkkOTuLFfr08Rp1YFgkTNiXLFLvoeFNKf1WqL
8y6RsslGGLHJQIPs3WkXM+s9PiO0ylDxBjoxUZpjJ8A+Dn7KtO1A5OuMoWKK2l9g
C8RzGYvblGnZNJtkmgQcuc6P9f3geug0zXsvS1uRY3kohIXREtEq2hPxYEaqh+Dh
lHoliseJPqaSDX6VKxiGJxMk5CmdHouFq3xdGqU3B2/OeUV5koLbc1IsaLlrg5LN
pY+GiieaHvZAENd/8k7XhfVT9p5zneHyfOPFarRJbdvbbUfPw0lEjdR8td8LG/rQ
5t3Dh21pasGh5HU3wRMWB/3I+RifpNt/dC8DpLf6KqSITpXXNsPK0l/26kdrT9z4
aigdbAIXJPQDIAFYwLZjtva3WfgOOr/2j3d19Ggob4EdyS1N24AG8NWoV62FaRH/
lwsfQR9KCg1JFDx4bCm/6tX9x0M/0TcIp6xoQBLWkddZR+Mz6QNzffA/JKIPNIfb
ef5TQCymlpHQzEAGhLMXkkmpGixPFyT4lBzoHp/uWZPCYHTqJkRlKrFpp5wvvQnb
ZbZWjop0fNM/tuAv+Gx2
=japw
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Client certificates not authenticated by realm
On 2014-12-01 15:14, Christopher Schultz wrote: What do the CNs look like for your client certs? - -chris Hi Chris, Thanks for the very quick reply! For the testClient_2 client cert, the CN is: Owner: CN=testClient_2, OU=ATAK, O=BBN, L=Cambridge, ST=MA, C=US Issuer: CN=marti-ca, O=BBN, L=Cambridge, ST=MA, C=US The CA (marti-ca) is one I made up myself and it's installed in the browser as trusted. -- Andrew Gronosky - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Client certificates not authenticated by realm
Problem solved.
The issue was tomcat-users.xml should contain the client's CN as the
user name, like this:
tomcat-users
role name=seureconn /
user username=CN=client1, OU=Application Development, O=GoSmarter,
L=Bangalore, ST=KA, C=IN password=null roles=secureconn/
/tomcat-users
So Chris was definitely on the right track when he (I assume, maybe
incorrectly, Chris is male) inquired about the CNs in my client certs.
Thanks again, Chris!
-Andrew Gronosky
On 2014-12-01 15:14, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Andrew,
On 12/1/14 2:33 PM, Andrew Gronosky wrote:
Hello,
I am trying to set up client-certificate authentication for Tomcat
7.0.57. I have read the basics in the docs and I have my
configuration working up to a point.
My problem is that Tomcat accepts the client's connection, but
returns HTTP status 401 for pages the user is supposed to be
authorized to access.
I am confident the certificates and key store etc. are set up
properly because the TLS connection works with a trusted client
certificate and not with an untrusted one. :-)
Some relevant snippets from the configuration files:
web.xml from my web app divides the web resources into several
collections, one of which requires no authentication at all and
others require the user to belong to a particular role. For
example:
security-constraint web-resource-collection
web-resource-namePublic Interface/web-resource-name
url-pattern/index.html/url-pattern ... etc ...
/web-resource-collection user-data-constraint
transport-guaranteeCONFIDENTIAL/transport-guarantee
/user-data-constraint /security-constraint
security-constraint web-resource-collection
web-resource-nameAdministrator Only/web-resource-name
url-pattern/admin.html/url-pattern ... etc ...
/web-resource-collection auth-constraint
role-nameadministrator/role-name /auth-constraint
user-data-constraint
transport-guaranteeCONFIDENTIAL/transport-guarantee
/user-data-constraint /security-constraint
The Connector is set up in server.xml as:
Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true
clientAuth=true maxThreads=150 scheme=https secure=true
keystoreFile=${catalina.home}/conf/testServer.jks
keystorePass=changeit
truststoreFile=${catalina.home}/conf/truststore.jks
truststorePass=changeit sslProtocol=TLSv1.2 /
And finally, my Realm is a UserDatabaseRealm: Realm
className=org.apache.catalina.realm.UserDatabaseRealm
resourceName=UserDatabase digest=sha/
tomcat-users.xml looks something like this:
tomcat-users role rolename=user / !-- System administrators
-- role rolename=administrator / !-- System administrators
-- user username=testClient_1 password=redacted***
roles=user / user username=testClient_2
password=redacted*** roles=administrator /
/tomcat-users
Again, the symptom I am seeing is that a browser with the
testClient_2 certificate installed can connect to the web app and
access index.html, but gets an HTTP 401 error trying to access
admin.html.
Does anyone have suggestions what I might be overlooking or how I
could isolate the cause?
What do the CNs look like for your client certs?
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUfMwkAAoJEBzwKT+lPKRYVjMP/28BYJZV9d5yWDfwIE5yxFAQ
RvNGsIH+cbS7Oq0XKLkAImQiiNxWl02kWGEgK4WgmWcXHfMQS+MC4GjGplEUmMts
cpBjCp0gad0yQ95pG62Xna1EoeVpkkOTuLFfr08Rp1YFgkTNiXLFLvoeFNKf1WqL
8y6RsslGGLHJQIPs3WkXM+s9PiO0ylDxBjoxUZpjJ8A+Dn7KtO1A5OuMoWKK2l9g
C8RzGYvblGnZNJtkmgQcuc6P9f3geug0zXsvS1uRY3kohIXREtEq2hPxYEaqh+Dh
lHoliseJPqaSDX6VKxiGJxMk5CmdHouFq3xdGqU3B2/OeUV5koLbc1IsaLlrg5LN
pY+GiieaHvZAENd/8k7XhfVT9p5zneHyfOPFarRJbdvbbUfPw0lEjdR8td8LG/rQ
5t3Dh21pasGh5HU3wRMWB/3I+RifpNt/dC8DpLf6KqSITpXXNsPK0l/26kdrT9z4
aigdbAIXJPQDIAFYwLZjtva3WfgOOr/2j3d19Ggob4EdyS1N24AG8NWoV62FaRH/
lwsfQR9KCg1JFDx4bCm/6tX9x0M/0TcIp6xoQBLWkddZR+Mz6QNzffA/JKIPNIfb
ef5TQCymlpHQzEAGhLMXkkmpGixPFyT4lBzoHp/uWZPCYHTqJkRlKrFpp5wvvQnb
ZbZWjop0fNM/tuAv+Gx2
=japw
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
--
Andrew Gronosky
Raytheon BBN Technologies
10 Moulton Street
Cambridge, MA 02138
voice: 617-873-3486
Re: Client certificates not authenticated by realm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Andrew, On 12/1/14 4:32 PM, Andrew Gronosky wrote: Problem solved. The issue was tomcat-users.xml should contain the client's CN as the user name, like this: tomcat-users role name=seureconn / user username=CN=client1, OU=Application Development, O=GoSmarter, L=Bangalore, ST=KA, C=IN password=null roles=secureconn/ /tomcat-users Yup. So Chris was definitely on the right track when he (I assume, maybe incorrectly, Chris is male) inquired about the CNs in my client certs. +1 for male ;) Thanks again, Chris! No problem. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUfOF2AAoJEBzwKT+lPKRYveAP/25xNMuvJU6/9mP/C44Tu5ub HO8OZQMXAj2iu8jKFqT1t29NVzCbFsoWVaLdRzsCXhKRDh5jMokwVqgGpmIyqbtU Y8f+xN7mRrDsHRoRbTcO3IKz8NpTcqldzXQPih86YZIDCyWpf2YN/HOjgv6UegQs V/LjlxCbOZvnHL4fwN0Ya0XkrgquLKbStDkaCz5x4zTdziCpDVfvU7mf1mC0J9lE wqrm5QZMte0edsWj5mqhodYl92pENAljvt0lrJ8kYdUE0IZ/1Pbq3zcrPcYmhPfQ NW+TC8j22bHFJXBltUlwjYWDN5fqge2x3FQ4GTlEQ5mrhihaJlVQtQF21z0HYBc4 eTcVQvAktAKFR54mqoYRCWvF5e2qx8lPj06JSDLtWwdIemWSKr/P3Ehbj1IcuZYE 40LCbA1UMV58iP5uHZ2BbRrTtKaTLEnZPqYa+/YkjoBDYBosd16fmo+Em8KZydFo CUOv/ROfZQolDdKdR5u704HPJNHa/rrsdQXqGP6zMiT1vbFnaUKSnU/r0/wc3oSr w2HCS9DuerfEqIXM70d6YjrUJmNaS88mBrk1zoxziVQ7l3Flb87tW++Ag/fvpWH8 yGnOC2GylbJBGxp7gTRmgsQCzdKoDngU29E8l5TJMWJIhHRpik3/8IrPn3HQhjCe rEyAHoSKrwZjACZKsTMM =kCf7 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RFC 5746 compliant SSL renegotiation with client certificates
Hi, Firefox ist RFC 5746 compliant. (http://www.ssltls.de/) Tomcat 6.0.29 uses JRE 1.6.22, also RFC 5746 compliant. Renegotiation should occur, as the browser initially doesn't send the client certificate, then the user is supposed to choose a client cert. and then the browser should renegotiate the connection using the client certificate. This is where I get: WARNUNG: SSL server initiated renegotiation is disabled, closing connection 26.10.2010 18:35:10 org.apache.tomcat.util.net.jsse.JSSESupport handShake I was wondering, if there was any way to avoid allowUnsafeLegacyRenegotiation=true in the SSL 443 Connector. I only want to allow safe renegotations! But I need this, as I can not configure the browser to send the client certificate at the very first request. Any thought on this? Thanks in advance, brgs, Aron. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: RFC 5746 compliant SSL renegotiation with client certificates
On 26/10/2010 18:28, Aron K. wrote: Hi, Firefox ist RFC 5746 compliant. (http://www.ssltls.de/) Tomcat 6.0.29 uses JRE 1.6.22, also RFC 5746 compliant. Renegotiation should occur, as the browser initially doesn't send the client certificate, then the user is supposed to choose a client cert. and then the browser should renegotiate the connection using the client certificate. This is where I get: WARNUNG: SSL server initiated renegotiation is disabled, closing connection 26.10.2010 18:35:10 org.apache.tomcat.util.net.jsse.JSSESupport handShake I was wondering, if there was any way to avoid allowUnsafeLegacyRenegotiation=true in the SSL 443 Connector. I only want to allow safe renegotations! But I need this, as I can not configure the browser to send the client certificate at the very first request. Any thought on this? Tomcat hasn't been updated to take advantage of the recently updated JDK. You might be able to achieve what you are looking for with existing code and the right set of options. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Problems retrieving client certificates with mod_jk
Hi. I'm using client certificates in certain parts of my webapp. When I was using mod_proxy_ajp I could retrieve the client certificates from a request attribute: request.getAttribute(javax.servlet.request.X509Certificate); But now I've switched to mod_jk and I always get null. This is my current config in Apache 2.2: ## LoadModule jk_module modules/mod_jk.so JkWorkersFile workers.properties JkShmFile logs/mod_jk.shm JkLogFile logs/mod_jk.log JkLogLevel info JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkOptions +ForwardSSLCertChain VirtualHost _default_:8443 JkMount /WSindex worker1 JkMount /WSindex/* worker1 SSLVerifyClient require SSLVerifyDepth 10 # More irrelevant SSL configuration... /VirtualHost ## In Tomcat 5.5.26: ## Connector port=8009 enableLookups=false protocol=AJP/1.3 URIEncoding=UTF-8 connectionTimeout=60 / ## workers.properties: ## worker.list=worker1 worker.worker1.type=ajp13 worker.worker1.host=localhost worker.worker1.port=8009 worker.worker1.connection_pool_timeout=600 worker.worker1.socket_timeout=60 worker.worker1.socket_keepalive=1 ## Any idea? Thanks in advance. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problems retrieving client certificates with mod_jk
OK, problem solved. I added SSLOptions +ExportCertData and now it's working again. Regards, Diego Diego Manilla Suárez escribió: Hi. I'm using client certificates in certain parts of my webapp. When I was using mod_proxy_ajp I could retrieve the client certificates from a request attribute: request.getAttribute(javax.servlet.request.X509Certificate); But now I've switched to mod_jk and I always get null. This is my current config in Apache 2.2: ## LoadModule jk_module modules/mod_jk.so JkWorkersFile workers.properties JkShmFile logs/mod_jk.shm JkLogFile logs/mod_jk.log JkLogLevel info JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkOptions +ForwardSSLCertChain VirtualHost _default_:8443 JkMount /WSindex worker1 JkMount /WSindex/* worker1 SSLVerifyClient require SSLVerifyDepth 10 # More irrelevant SSL configuration... /VirtualHost ## In Tomcat 5.5.26: ## Connector port=8009 enableLookups=false protocol=AJP/1.3 URIEncoding=UTF-8 connectionTimeout=60 / ## workers.properties: ## worker.list=worker1 worker.worker1.type=ajp13 worker.worker1.host=localhost worker.worker1.port=8009 worker.worker1.connection_pool_timeout=600 worker.worker1.socket_timeout=60 worker.worker1.socket_keepalive=1 ## Any idea? Thanks in advance. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Client Certificates and web appliactions
I'm sure this is in the Tomcat docs, but the set of trusted Root CAs is determined by the collection in the truststoreFile attribute on the Connector ... / element in server.xml (assuming you are not using the tcnative connector). If this is omitted, then it defaults to the trusted CAs provided by your JVM vendor. Assuming that you are not using AJP/1.3, then the complete chain is available via: X509Certificate [] certs = (X509Certificate [])request.getAttribute(javax.servlet.request.X509Certificate); Steffen Heil [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi I need to setup tomcat to use https certificates for client authentication. Does anyone have a working example for this? Which certificates does tomcat accept in that case? Which way can be used by the appliaction to detect which certificate was used? Regards, Steffen
SSL Client Certificates and web appliactions
Hi I need to setup tomcat to use https certificates for client authentication. Does anyone have a working example for this? Which certificates does tomcat accept in that case? Which way can be used by the appliaction to detect which certificate was used? Regards, Steffen smime.p7s Description: S/MIME cryptographic signature
Manage Client Certificates
I configured my tomcat to work with SSL an client-certification. Together with a JDBC Realm the user is looked up in the database and everything works fine. My question now is how can I manage it on my own if there is more than one client certificate? Is there something like an interceptor? The idea is, that there are two users with a certificate. One is something like an admin and the other normal user will grant him to access his data with his certificate. How can I access a certificate in a programmatic way but still use the realm? Thank you for your help - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and client certificates
Hi I have followed all the instructions on this discussion, and i´m still getting the error: HTTP Status 400 - No client certificate chain in this request Does the user cert that i´m using need to be trusted by cert of tomcat sever? I´m using Apache Tomcat/5.5.15, on Win Xp Pro SP2 I have generated the 2 certs like described on: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html The acess to https://localhost:8443 works fine But the access to the restricted area https://localhost:8443/teste return the error: HTTP Status 400 - No client certificate chain in this request If i use the BASIC auth, it works, but with CLIENT-CERT it did not Is there anything wrong with my configuration? This are my configuration: server.xml : ... Realm className=org.apache.catalina.realm.MemoryRealm / ... Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=want sslProtocol=TLS keystoreFile=c:\\certificados\\tomcat.keystore / Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=want protocol=TLS / tomcat-users.xml : tomcat-users ... role rolename=cert/ user username=CN=Luis Henrrique Spoladore Amaral, OU=UFSC, O=UFSC, L=Floripa, ST=SC, C=BR password=null roles=cert/ /tomcat-users web.xml: ?xml version=1.0 encoding=ISO-8859-1? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app display-nameBug 12218/display-name description Test web app for bug 12218. /description security-constraint web-resource-collection web-resource-nameApp/web-resource-name url-pattern/index.htm/url-pattern /web-resource-collection auth-constraint role-namecert/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config security-role role-namecert/role-name /security-role /web-app Thanks for your help Luis - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and client certificates
Ok, I just submitted the bugs #38553 and #38555 for both issues. If you need more information, please let me know via bugzilla. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and client certificates
Markus wrote: Ok, I just submitted the bugs #38553 and #38555 for both issues. If you need more information, please let me know via bugzilla. 5.5.x CLIENT-CERT shoudl work with all realms. 5.0.x - don't hold your breath. Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and client certificates
Mark: Thank you for your link to the archive. It was my fault using the UserDatabase realm instead of the MemoryRealm. I'm, using tomcat 5.0.28 - is it still the case in 5.5.x that you MUST use the MemoryRealm for clientcert authentication? Anyway, there is still an issue when trying to access a restricted url without the proper certificate: 1) When there is the RIGHT client certificate in the browser keystore: it works :-) 2) When there is the WRONG client certificate I get: HTTP Status 401 - Cannot authenticate with the provided credentials (this is ok, too) 3) When there is NO client certificate I get: HTTP Status 400 - No client certificate chain in this request 400 usually stands for a bad request or bad syntax. I believe in this case 401 should be the appropriate reply. Is there any way to adjust the HTTP Status code for failed client-cert authentication? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and client certificates
Markus wrote: Mark: Thank you for your link to the archive. It was my fault using the UserDatabase realm instead of the MemoryRealm. I'm, using tomcat 5.0.28 - is it still the case in 5.5.x that you MUST use the MemoryRealm for clientcert authentication? All realms should work with CLIENT-CERT. If they don't file a bug report and I'll look into it. 3) When there is NO client certificate I get: HTTP Status 400 - No client certificate chain in this request 400 usually stands for a bad request or bad syntax. I believe in this case 401 should be the appropriate reply. Hmm. I guess this could be debatable. Is there any way to adjust the HTTP Status code for failed client-cert authentication? No configuration option. I suspect it would require code changes. Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and client certificates
Markus a écrit : Ok, when I set clientAuth to want the Exception getting SSL Cert goes away. (Wtf is this documented?). Yes it is documented: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html Section 'Edit the Tomcat Configuration File' But I still get the 403 - Access denied error. This mean client didn't send a certificate or certificate was not recognized Here is how I added the users certificate to my realm: web.xml: security-constraint web-resource-collection url-pattern/html/*/url-pattern http-methodPOST/http-method http-methodGET/http-method /web-resource-collection auth-constraint role-namemyrole/role-name /auth-constraint user-data-constraint/ /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config security-role role-namemyrole/role-name /security-role tomcat-users.xml: tomcat-users role rolename=myrole/ user username=EMAILADDRESS=mark... , CN=markus, OU=..., O=... , L=, ST=... C=... password= roles=myrole/ /tomcat-users As username I used exactly the cert.getSubjectDN().getName() String from the client certificate. Is this ok? Did you escape the quote character of subject line using quot; ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and client certificates
Ok, when I set clientAuth to want the Exception getting SSL Cert goes away. (Wtf is this documented?). But I still get the 403 - Access denied error. Here is how I added the users certificate to my realm: web.xml: security-constraint web-resource-collection url-pattern/html/*/url-pattern http-methodPOST/http-method http-methodGET/http-method /web-resource-collection auth-constraint role-namemyrole/role-name /auth-constraint user-data-constraint/ /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config security-role role-namemyrole/role-name /security-role tomcat-users.xml: tomcat-users role rolename=myrole/ user username=EMAILADDRESS=mark... , CN=markus, OU=..., O=... , L=, ST=... C=... password= roles=myrole/ /tomcat-users As username I used exactly the cert.getSubjectDN().getName() String from the client certificate. Is this ok? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and client certificates
Setting clientAuth to true / false in the Connector configuration works fine, but how do I configure client authenticaton on a per-directory or even per-servlet basis? This is my current configuration: In server.xml: Connector port=8443 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=\...\keystore.jks keystorePass=wonttell truststoreFile=\...\truststore.jks truststorePass=wonttell / In web.xml: security-constraint web-resource-collection url-pattern/html/*/url-pattern /web-resource-collection auth-constraint/ user-data-constraint/ /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config And here are the results I get: https://domain/anypage : OK https://domain/html/anypage : HTTP Status 403 - Access to the requested resource has been denied The logfile says: 01.02.2006 15:19:57 org.apache.coyote.http11.Http11Processor action WARNING: Exception getting SSL Cert java.net.SocketException: Socket Closed What's wrong with my configuration? Markus - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat and client certificates
The clientAuth attribute of the connector has to be set to true. Then you will need a client cert to access resources under /html/*, but not other pages. See the Tomcat SSL guide on how to create the client cert. ND -Original Message- From: Markus [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 01, 2006 9:22 AM To: Tomcat Users List Subject: Re: Tomcat and client certificates Setting clientAuth to true / false in the Connector configuration works fine, but how do I configure client authenticaton on a per-directory or even per-servlet basis? This is my current configuration: In server.xml: Connector port=8443 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=\...\keystore.jks keystorePass=wonttell truststoreFile=\...\truststore.jks truststorePass=wonttell / In web.xml: security-constraint web-resource-collection url-pattern/html/*/url-pattern /web-resource-collection auth-constraint/ user-data-constraint/ /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config And here are the results I get: https://domain/anypage : OK https://domain/html/anypage : HTTP Status 403 - Access to the requested resource has been denied The logfile says: 01.02.2006 15:19:57 org.apache.coyote.http11.Http11Processor action WARNING: Exception getting SSL Cert java.net.SocketException: Socket Closed What's wrong with my configuration? Markus - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and client certificates
Creating client certs is no problem, I already had client authentication working on the Connector-Level. Nick: In other words: it is NOT possible in tomcat to have a webapp with BOTH, a private part with ssl AND client authentication and a public part with ssl but WITHOUT client authentication? That would be sad. Markus - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and client certificates
Hi Yes, it is possible. From connector configuration doc: clientAuth: Set this value to true if you want Tomcat to require all SSL clients to present a client Certificate in order to use this socket. Set this value to want if you want Tomcat to request a client Certificate, but not fail if one isn't presented. So in your configuration, change clientAuth=false to clientAuth=want and connector will accept connection be there a certificate or not. But don't forget login-config auth-methodCLIENT-CERT/auth-method /login-config means access to /html/* will be refused to users not presenting a certificate. (They can still access other webapps in tomcat if those have a login-config not based on certificate and they can also browse in ssl the non restricted area of client-cert based webapp) for sensitive areas, you might also be interrested in adding, in particular for basic authentification based webapps ... user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint Le Mercredi 01 Février 2006 17:55, Markus a écrit : Creating client certs is no problem, I already had client authentication working on the Connector-Level. Nick: In other words: it is NOT possible in tomcat to have a webapp with BOTH, a private part with ssl AND client authentication and a public part with ssl but WITHOUT client authentication? That would be sad. Markus - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- David Delbecq Royal Meteorological Institute of Belgium - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and client certificates
Markus wrote: Setting clientAuth to true / false in the Connector configuration works fine, but how do I configure client authenticaton on a per-directory or even per-servlet basis? snip/ And here are the results I get: https://domain/anypage : OK https://domain/html/anypage : HTTP Status 403 - Access to the requested resource has been denied Have you added the user's certificate to your realm? Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat and client certificates
Is it possible to run on the same container (instance of Tomcat) web application that DO require certificates and other applications that do NOT require certificates? To define required client certificate authorization one needs to define in SERVER.XML Connector className= port=8443... scheme=https.. Factory className =org.apache.coyote.tomcat4.CoyoteServerSocketFactory clientAuth=true protocol=TLS keystoreFile=MyPath/MyKeystoreFile ./ /Connector The thing is, I have at a customer site a web-application that serves a mixed PKI environment. This means, that some users use chip-cards and a Single Sign On solution to authenticate. But there is also a quite big population of users who still use a standard username/password authentication over an SSL connection. So for both cases I need SSL. Is there any way of defining this on an application level, which would mean the definition should go into web.xml instead of server.xml. I then could make two web applications, one defined for users with a Certificate and one for users without. If that is not possible, I need two servers, each running an instance of Tomcat with different server.xml settings. Any suggestions would be greatly apreciated. Tom - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat and client certificates
From: Tom Bednarz [mailto:[EMAIL PROTECTED] Subject: Tomcat and client certificates If that is not possible, I need two servers, each running an instance of Tomcat with different server.xml settings. I haven't tried it, but I would think all you need is two sets of Connector tags, not two complete installations. You'd have to differentiate between them by IP address or port numbers, of course. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
