Re: Tomcat client certicate authentication
Dave,
On 2/1/23 06:17, Dave Breeze wrote:
Chris
thanks for your mail
Apologies for confusion. Yes I am requesting certificates
- sslCon.setProperty("clientAuth", "required") and a user can only connect
by supplying a valid certificate.
I removed constraints from the web.xml as I did not want access to a
servlet restricted to a role - I need the servlet to respond
differently based on role.
You can set the role in your security-constraint to '*' which means "any
authenticated user regardless of role."
what I have decided to do in the servlet is to retrieve the user-id
from the certificate and determine their role by using a security
product native to the platform on which Tomcat is running
Hope that helps,
-chris
On Mon, 30 Jan 2023 at 15:41, Christopher Schultz <
ch...@christopherschultz.net> wrote:
Dave,
On 1/30/23 04:21, Dave Breeze wrote:
Thanks Chris
the application is requesting certificate authentication - and this is
working - it is just the mapping of users to roles that is not
happening
No, the server is requesting the certificate information; the
application is not. From your original posting:
On 1/28/23 09:28, Dave Breeze wrote:
> There are no security constraints on the apps web.xml.
With no security constraints, the application is not requesting
authentication. Tomcat therefore does not provide any "authentication
information" to the application. If the client sends a certificate
(which is happening at the request of the /server/), then Tomcat will
forward that certificate information to the application. But it will not
use it for any kind of authentication or authorization.
I implemented an org.apache.catalina.realm.X509UsernameRetriever and
configured using X509UsernameRetrieverClassName but it was never
called. In my servlet, however, I can retrieve the certificates.
That's consistent with your configuration IMO.
You will have to tell your application to use CLIENT-CERT authentication
if you want Tomcat to parse that cert chain for you, populate the user
principal, etc.
-chris
On Sun, 29 Jan 2023 at 22:21, Christopher Schultz
wrote:
Dave,
On 1/28/23 09:28, Dave Breeze wrote:
this is Tomcat 9.0 running embedded
I am trying to authorize access by client certificate. I want the
servlet response to be tailored to the user's role. In other words I
am not looking to deny access by role.
The connector has sslCon.setProperty("clientAuth", "required");
The context has a config file set
serverAppContext.setConfigFile(contextURL);
The config file contains
users.xml contains
roles="cart-user"/>
roles="cart-admin"/>
Certificates are imported into the browser and the browser prompts for
cert selection.
There are no security constraints on the apps web.xml.
In the servlet there is a test of httpReq.isUserInRole("cart-admin").
This always fails. Also a req.getUserPrincipal() call always returns
null. The request does not seem to be authenticated.
>
Further in the servlet a X509Certificate[] certs = (X509Certificate[])
req.getAttribute("javax.servlet.request.X509Certificate") correctly
returns both the certificate from the browser plus the Cert Auth. A
getSubjectX500Principal().getName() call on the browser certificate
returns the cn/o/ou setting that should match with users.xml.
What am I missing here?
If the application does not request authentication, Tomcat will not
perform if on behalf of the application. If you want a Principal and to
be able to check roles, etc. then you'll need to request CLIENT-CERT
authentication in web.xml (or the embedded equivalent).
-chris
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
AW: Tomcat client certicate authentication
Hello Dave,
> -Ursprüngliche Nachricht-
> Von: Dave Breeze
> Gesendet: Mittwoch, 1. Februar 2023 12:17
> An: Tomcat Users List
> Betreff: Re: Tomcat client certicate authentication
>
> Chris
> thanks for your mail
> Apologies for confusion. Yes I am requesting certificates
> - sslCon.setProperty("clientAuth", "required") and a user can only connect by
> supplying a valid certificate.
>
> I removed constraints from the web.xml as I did not want access to a servlet
> restricted to a role - I need the servlet to respond differently based on
> role.
> what I have decided to do in the servlet is to retrieve the user-id from the
> certificate and determine their role by using a security product native to the
> platform on which Tomcat is running
>
> Thanks for your help.
>
> Dave Breeze
> Linkedin:https://uk.linkedin.com/in/dabreeze
>
I think you need constraints in your web.xml. Otherwise Tomcat won't ask for
authentication.
Something like:
protected area
/*
my-role
CONFIDENTIAL
my-role
Otherwise the user is treated as an anonymous user without any identity.
Greetings, Thomas
>
> On Mon, 30 Jan 2023 at 15:41, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> > Dave,
> >
> > On 1/30/23 04:21, Dave Breeze wrote:
> > > Thanks Chris
> > > the application is requesting certificate authentication - and this
> > > is working - it is just the mapping of users to roles that is not
> > > happening
> >
> > No, the server is requesting the certificate information; the
> > application is not. From your original posting:
> >
> >
> > On 1/28/23 09:28, Dave Breeze wrote:
> > > There are no security constraints on the apps web.xml.
> >
> > With no security constraints, the application is not requesting
> > authentication. Tomcat therefore does not provide any "authentication
> > information" to the application. If the client sends a certificate
> > (which is happening at the request of the /server/), then Tomcat will
> > forward that certificate information to the application. But it will
> > not use it for any kind of authentication or authorization.
> >
> > > I implemented an org.apache.catalina.realm.X509UsernameRetriever
> and
> > > configured using X509UsernameRetrieverClassName but it was never
> > > called. In my servlet, however, I can retrieve the certificates.
> >
> > That's consistent with your configuration IMO.
> >
> > You will have to tell your application to use CLIENT-CERT
> > authentication if you want Tomcat to parse that cert chain for you,
> > populate the user principal, etc.
> >
> > -chris
> >
> > > On Sun, 29 Jan 2023 at 22:21, Christopher Schultz
> > > wrote:
> > >>
> > >> Dave,
> > >>
> > >> On 1/28/23 09:28, Dave Breeze wrote:
> > >>> this is Tomcat 9.0 running embedded
> > >>>
> > >>> I am trying to authorize access by client certificate. I want the
> > >>> servlet response to be tailored to the user's role. In other words
> > >>> I am not looking to deny access by role.
> > >>>
> > >>> The connector has sslCon.setProperty("clientAuth", "required");
> > >>> The context has a config file set
> > serverAppContext.setConfigFile(contextURL);
> > >>> The config file contains
> > >>>
> > >>>
> > >>> > >>>debug="9"
> > >>>pathname="/var/CartS3Server/cartapp/users.xml"/>
> > >>>
> > >>>
> > >>> users.xml contains
> > >>>
> > >>>
> > >>>
> > >>>
> > >>> > roles="cart-user"/>
> > >>> > roles="cart-admin"/>
> > >>>
> > >>>
> > >>>
> > >>> Certificates are imported into the browser and the browser prompts
> > >>> for cert selection.
> > >>>
> > >>> There are no security constraints on the apps web.xml.
> > >>>
> > >>> In the servlet there is a test of httpReq.isUserInRole("cart-admin").
> > >>> This always fails. Also a req.getUserPrincipal() call always
> > >>>
Re: Tomcat client certicate authentication
Chris
thanks for your mail
Apologies for confusion. Yes I am requesting certificates
- sslCon.setProperty("clientAuth", "required") and a user can only connect
by supplying a valid certificate.
I removed constraints from the web.xml as I did not want access to a
servlet restricted to a role - I need the servlet to respond
differently based on role. what I have decided to do in the servlet is to
retrieve the user-id from the certificate and determine their role by using
a security product native to the platform on which Tomcat is running
Thanks for your help.
Dave Breeze
Linkedin:https://uk.linkedin.com/in/dabreeze
On Mon, 30 Jan 2023 at 15:41, Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Dave,
>
> On 1/30/23 04:21, Dave Breeze wrote:
> > Thanks Chris
> > the application is requesting certificate authentication - and this is
> > working - it is just the mapping of users to roles that is not
> > happening
>
> No, the server is requesting the certificate information; the
> application is not. From your original posting:
>
>
> On 1/28/23 09:28, Dave Breeze wrote:
> > There are no security constraints on the apps web.xml.
>
> With no security constraints, the application is not requesting
> authentication. Tomcat therefore does not provide any "authentication
> information" to the application. If the client sends a certificate
> (which is happening at the request of the /server/), then Tomcat will
> forward that certificate information to the application. But it will not
> use it for any kind of authentication or authorization.
>
> > I implemented an org.apache.catalina.realm.X509UsernameRetriever and
> > configured using X509UsernameRetrieverClassName but it was never
> > called. In my servlet, however, I can retrieve the certificates.
>
> That's consistent with your configuration IMO.
>
> You will have to tell your application to use CLIENT-CERT authentication
> if you want Tomcat to parse that cert chain for you, populate the user
> principal, etc.
>
> -chris
>
> > On Sun, 29 Jan 2023 at 22:21, Christopher Schultz
> > wrote:
> >>
> >> Dave,
> >>
> >> On 1/28/23 09:28, Dave Breeze wrote:
> >>> this is Tomcat 9.0 running embedded
> >>>
> >>> I am trying to authorize access by client certificate. I want the
> >>> servlet response to be tailored to the user's role. In other words I
> >>> am not looking to deny access by role.
> >>>
> >>> The connector has sslCon.setProperty("clientAuth", "required");
> >>> The context has a config file set
> serverAppContext.setConfigFile(contextURL);
> >>> The config file contains
> >>>
> >>>
> >>>
> >>> >>>debug="9"
> >>>pathname="/var/CartS3Server/cartapp/users.xml"/>
> >>>
> >>>
> >>> users.xml contains
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> roles="cart-user"/>
> >>> roles="cart-admin"/>
> >>>
> >>>
> >>>
> >>> Certificates are imported into the browser and the browser prompts for
> >>> cert selection.
> >>>
> >>> There are no security constraints on the apps web.xml.
> >>>
> >>> In the servlet there is a test of httpReq.isUserInRole("cart-admin").
> >>> This always fails. Also a req.getUserPrincipal() call always returns
> >>> null. The request does not seem to be authenticated.
> >> >
> >>> Further in the servlet a X509Certificate[] certs = (X509Certificate[])
> >>> req.getAttribute("javax.servlet.request.X509Certificate") correctly
> >>> returns both the certificate from the browser plus the Cert Auth. A
> >>> getSubjectX500Principal().getName() call on the browser certificate
> >>> returns the cn/o/ou setting that should match with users.xml.
> >>>
> >>> What am I missing here?
> >>
> >> If the application does not request authentication, Tomcat will not
> >> perform if on behalf of the application. If you want a Principal and to
> >> be able to check roles, etc. then you'll need to request CLIENT-CERT
> >> authentication in web.xml (or the embedded equivalent).
> >>
> >> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Re: Tomcat client certicate authentication
Dave,
On 1/30/23 04:21, Dave Breeze wrote:
Thanks Chris
the application is requesting certificate authentication - and this is
working - it is just the mapping of users to roles that is not
happening
No, the server is requesting the certificate information; the
application is not. From your original posting:
On 1/28/23 09:28, Dave Breeze wrote:
> There are no security constraints on the apps web.xml.
With no security constraints, the application is not requesting
authentication. Tomcat therefore does not provide any "authentication
information" to the application. If the client sends a certificate
(which is happening at the request of the /server/), then Tomcat will
forward that certificate information to the application. But it will not
use it for any kind of authentication or authorization.
I implemented an org.apache.catalina.realm.X509UsernameRetriever and
configured using X509UsernameRetrieverClassName but it was never
called. In my servlet, however, I can retrieve the certificates.
That's consistent with your configuration IMO.
You will have to tell your application to use CLIENT-CERT authentication
if you want Tomcat to parse that cert chain for you, populate the user
principal, etc.
-chris
On Sun, 29 Jan 2023 at 22:21, Christopher Schultz
wrote:
Dave,
On 1/28/23 09:28, Dave Breeze wrote:
this is Tomcat 9.0 running embedded
I am trying to authorize access by client certificate. I want the
servlet response to be tailored to the user's role. In other words I
am not looking to deny access by role.
The connector has sslCon.setProperty("clientAuth", "required");
The context has a config file set serverAppContext.setConfigFile(contextURL);
The config file contains
users.xml contains
Certificates are imported into the browser and the browser prompts for
cert selection.
There are no security constraints on the apps web.xml.
In the servlet there is a test of httpReq.isUserInRole("cart-admin").
This always fails. Also a req.getUserPrincipal() call always returns
null. The request does not seem to be authenticated.
>
Further in the servlet a X509Certificate[] certs = (X509Certificate[])
req.getAttribute("javax.servlet.request.X509Certificate") correctly
returns both the certificate from the browser plus the Cert Auth. A
getSubjectX500Principal().getName() call on the browser certificate
returns the cn/o/ou setting that should match with users.xml.
What am I missing here?
If the application does not request authentication, Tomcat will not
perform if on behalf of the application. If you want a Principal and to
be able to check roles, etc. then you'll need to request CLIENT-CERT
authentication in web.xml (or the embedded equivalent).
-chris
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat client certicate authentication
Thanks Chris
the application is requesting certificate authentication - and this is
working - it is just the mapping of users to roles that is not
happening
I implemented an org.apache.catalina.realm.X509UsernameRetriever and
configured using X509UsernameRetrieverClassName but it was never
called. In my servlet, however, I can retrieve the certificates.
thanks for your help
Dave Breeze
Linkedin:https://uk.linkedin.com/in/dabreeze
On Sun, 29 Jan 2023 at 22:21, Christopher Schultz
wrote:
>
> Dave,
>
> On 1/28/23 09:28, Dave Breeze wrote:
> > this is Tomcat 9.0 running embedded
> >
> > I am trying to authorize access by client certificate. I want the
> > servlet response to be tailored to the user's role. In other words I
> > am not looking to deny access by role.
> >
> > The connector has sslCon.setProperty("clientAuth", "required");
> > The context has a config file set
> > serverAppContext.setConfigFile(contextURL);
> > The config file contains
> >
> >
> >
> > > debug="9"
> > pathname="/var/CartS3Server/cartapp/users.xml"/>
> >
> >
> > users.xml contains
> >
> >
> >
> >
> >
> >
> > > roles="cart-admin"/>
> >
> >
> >
> > Certificates are imported into the browser and the browser prompts for
> > cert selection.
> >
> > There are no security constraints on the apps web.xml.
> >
> > In the servlet there is a test of httpReq.isUserInRole("cart-admin").
> > This always fails. Also a req.getUserPrincipal() call always returns
> > null. The request does not seem to be authenticated.
> >
> > Further in the servlet a X509Certificate[] certs = (X509Certificate[])
> > req.getAttribute("javax.servlet.request.X509Certificate") correctly
> > returns both the certificate from the browser plus the Cert Auth. A
> > getSubjectX500Principal().getName() call on the browser certificate
> > returns the cn/o/ou setting that should match with users.xml.
> >
> > What am I missing here?
>
> If the application does not request authentication, Tomcat will not
> perform if on behalf of the application. If you want a Principal and to
> be able to check roles, etc. then you'll need to request CLIENT-CERT
> authentication in web.xml (or the embedded equivalent).
>
> -chris
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat client certicate authentication
Dave,
On 1/28/23 09:28, Dave Breeze wrote:
this is Tomcat 9.0 running embedded
I am trying to authorize access by client certificate. I want the
servlet response to be tailored to the user's role. In other words I
am not looking to deny access by role.
The connector has sslCon.setProperty("clientAuth", "required");
The context has a config file set serverAppContext.setConfigFile(contextURL);
The config file contains
users.xml contains
Certificates are imported into the browser and the browser prompts for
cert selection.
There are no security constraints on the apps web.xml.
In the servlet there is a test of httpReq.isUserInRole("cart-admin").
This always fails. Also a req.getUserPrincipal() call always returns
null. The request does not seem to be authenticated.
>
Further in the servlet a X509Certificate[] certs = (X509Certificate[])
req.getAttribute("javax.servlet.request.X509Certificate") correctly
returns both the certificate from the browser plus the Cert Auth. A
getSubjectX500Principal().getName() call on the browser certificate
returns the cn/o/ou setting that should match with users.xml.
What am I missing here?
If the application does not request authentication, Tomcat will not
perform if on behalf of the application. If you want a Principal and to
be able to check roles, etc. then you'll need to request CLIENT-CERT
authentication in web.xml (or the embedded equivalent).
-chris
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat client certicate authentication
hi
this is Tomcat 9.0 running embedded
I am trying to authorize access by client certificate. I want the
servlet response to be tailored to the user's role. In other words I
am not looking to deny access by role.
The connector has sslCon.setProperty("clientAuth", "required");
The context has a config file set serverAppContext.setConfigFile(contextURL);
The config file contains
users.xml contains
Certificates are imported into the browser and the browser prompts for
cert selection.
There are no security constraints on the apps web.xml.
In the servlet there is a test of httpReq.isUserInRole("cart-admin").
This always fails. Also a req.getUserPrincipal() call always returns
null. The request does not seem to be authenticated.
Further in the servlet a X509Certificate[] certs = (X509Certificate[])
req.getAttribute("javax.servlet.request.X509Certificate") correctly
returns both the certificate from the browser plus the Cert Auth. A
getSubjectX500Principal().getName() call on the browser certificate
returns the cn/o/ou setting that should match with users.xml.
What am I missing here?
Dave Breeze
Linkedin:https://uk.linkedin.com/in/dabreeze
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
