Re: Tomcat client certicate authentication

2023-02-01 Thread Christopher Schultz

Dave,

On 2/1/23 06:17, Dave Breeze wrote:

Chris
thanks for your mail
Apologies for confusion. Yes I am requesting certificates
- sslCon.setProperty("clientAuth", "required") and a user can only connect
by supplying a valid certificate.

I removed constraints from the web.xml as I did not want access to a
servlet restricted to a role - I need the servlet to respond
differently based on role.


You can set the role in your security-constraint to '*' which means "any 
authenticated user regardless of role."


what I have decided to do in the servlet is to retrieve the user-id 
from the certificate and determine their role by using a security

product native to the platform on which Tomcat is running

Hope that helps,
-chris


On Mon, 30 Jan 2023 at 15:41, Christopher Schultz <
ch...@christopherschultz.net> wrote:


Dave,

On 1/30/23 04:21, Dave Breeze wrote:

Thanks  Chris
the application is requesting certificate authentication - and this is
working - it is just the mapping of users to roles that is not
happening


No, the server is requesting the certificate information; the
application is not. From your original posting:


On 1/28/23 09:28, Dave Breeze wrote:
  > There are no security constraints on the apps web.xml.

With no security constraints, the application is not requesting
authentication. Tomcat therefore does not provide any "authentication
information" to the application. If the client sends a certificate
(which is happening at the request of the /server/), then Tomcat will
forward that certificate information to the application. But it will not
use it for any kind of authentication or authorization.


I implemented an org.apache.catalina.realm.X509UsernameRetriever and
configured using X509UsernameRetrieverClassName but it was never
called. In my servlet, however, I can retrieve the certificates.


That's consistent with your configuration IMO.

You will have to tell your application to use CLIENT-CERT authentication
if you want Tomcat to parse that cert chain for you, populate the user
principal, etc.

-chris


On Sun, 29 Jan 2023 at 22:21, Christopher Schultz
 wrote:


Dave,

On 1/28/23 09:28, Dave Breeze wrote:

this is Tomcat 9.0 running embedded

I am trying to authorize access by client certificate. I want the
servlet response to be tailored to the user's role. In other words I
am not looking to deny access by role.

The connector has sslCon.setProperty("clientAuth", "required");
The context has a config file set

serverAppContext.setConfigFile(contextURL);

The config file contains



 


users.xml contains



 
 
 
roles="cart-user"/>

 
roles="cart-admin"/>




Certificates are imported into the browser and the browser prompts for
cert selection.

There are no security constraints on the apps web.xml.

In the servlet there is a test of httpReq.isUserInRole("cart-admin").
This always fails. Also a req.getUserPrincipal() call always returns
null. The request does not seem to be authenticated.

   >

Further in the servlet a X509Certificate[] certs = (X509Certificate[])
req.getAttribute("javax.servlet.request.X509Certificate") correctly
returns both the certificate from the browser plus the Cert Auth. A
getSubjectX500Principal().getName() call on the browser certificate
returns the cn/o/ou setting that should match with users.xml.

What am I missing here?


If the application does not request authentication, Tomcat will not
perform if on behalf of the application. If you want a Principal and to
be able to check roles, etc. then you'll need to request CLIENT-CERT
authentication in web.xml (or the embedded equivalent).

-chris


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



AW: Tomcat client certicate authentication

2023-02-01 Thread Thomas Hoffmann (Speed4Trade GmbH)
Hello Dave,

> -Urspr√ľngliche Nachricht-
> Von: Dave Breeze 
> Gesendet: Mittwoch, 1. Februar 2023 12:17
> An: Tomcat Users List 
> Betreff: Re: Tomcat client certicate authentication
> 
> Chris
> thanks for your mail
> Apologies for confusion. Yes I am requesting certificates
> - sslCon.setProperty("clientAuth", "required") and a user can only connect by
> supplying a valid certificate.
> 
> I removed constraints from the web.xml as I did not want access to a servlet
> restricted to a role - I need the servlet to respond differently based on 
> role.
> what I have decided to do in the servlet is to retrieve the user-id from the
> certificate and determine their role by using a security product native to the
> platform on which Tomcat is running
> 
> Thanks for your help.
> 
> Dave Breeze
> Linkedin:https://uk.linkedin.com/in/dabreeze
> 

I think you need constraints in your web.xml. Otherwise Tomcat won't ask for 
authentication.
Something like:

 
 
 protected area
 /*
 

 
 my-role
 

 
 CONFIDENTIAL
 
 

 
 my-role
 

Otherwise the user is treated as an anonymous user without any identity.

Greetings, Thomas

> 
> On Mon, 30 Jan 2023 at 15:41, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
> 
> > Dave,
> >
> > On 1/30/23 04:21, Dave Breeze wrote:
> > > Thanks  Chris
> > > the application is requesting certificate authentication - and this
> > > is working - it is just the mapping of users to roles that is not
> > > happening
> >
> > No, the server is requesting the certificate information; the
> > application is not. From your original posting:
> >
> >
> > On 1/28/23 09:28, Dave Breeze wrote:
> >  > There are no security constraints on the apps web.xml.
> >
> > With no security constraints, the application is not requesting
> > authentication. Tomcat therefore does not provide any "authentication
> > information" to the application. If the client sends a certificate
> > (which is happening at the request of the /server/), then Tomcat will
> > forward that certificate information to the application. But it will
> > not use it for any kind of authentication or authorization.
> >
> > > I implemented an org.apache.catalina.realm.X509UsernameRetriever
> and
> > > configured using X509UsernameRetrieverClassName but it was never
> > > called. In my servlet, however, I can retrieve the certificates.
> >
> > That's consistent with your configuration IMO.
> >
> > You will have to tell your application to use CLIENT-CERT
> > authentication if you want Tomcat to parse that cert chain for you,
> > populate the user principal, etc.
> >
> > -chris
> >
> > > On Sun, 29 Jan 2023 at 22:21, Christopher Schultz
> > >  wrote:
> > >>
> > >> Dave,
> > >>
> > >> On 1/28/23 09:28, Dave Breeze wrote:
> > >>> this is Tomcat 9.0 running embedded
> > >>>
> > >>> I am trying to authorize access by client certificate. I want the
> > >>> servlet response to be tailored to the user's role. In other words
> > >>> I am not looking to deny access by role.
> > >>>
> > >>> The connector has sslCon.setProperty("clientAuth", "required");
> > >>> The context has a config file set
> > serverAppContext.setConfigFile(contextURL);
> > >>> The config file contains
> > >>>
> > >>>  
> > >>>  > >>>debug="9"
> > >>>pathname="/var/CartS3Server/cartapp/users.xml"/>
> > >>> 
> > >>>
> > >>> users.xml contains
> > >>>
> > >>>  
> > >>> 
> > >>> 
> > >>>  > roles="cart-user"/>
> > >>>  > roles="cart-admin"/>
> > >>> 
> > >>>
> > >>>
> > >>> Certificates are imported into the browser and the browser prompts
> > >>> for cert selection.
> > >>>
> > >>> There are no security constraints on the apps web.xml.
> > >>>
> > >>> In the servlet there is a test of httpReq.isUserInRole("cart-admin").
> > >>> This always fails. Also a req.getUserPrincipal() call always
> > >>>

Re: Tomcat client certicate authentication

2023-02-01 Thread Dave Breeze
Chris
thanks for your mail
Apologies for confusion. Yes I am requesting certificates
- sslCon.setProperty("clientAuth", "required") and a user can only connect
by supplying a valid certificate.

I removed constraints from the web.xml as I did not want access to a
servlet restricted to a role - I need the servlet to respond
differently based on role. what I have decided to do in the servlet is to
retrieve the user-id from the certificate and determine their role by using
a security product native to the platform on which Tomcat is running

Thanks for your help.

Dave Breeze
Linkedin:https://uk.linkedin.com/in/dabreeze


On Mon, 30 Jan 2023 at 15:41, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Dave,
>
> On 1/30/23 04:21, Dave Breeze wrote:
> > Thanks  Chris
> > the application is requesting certificate authentication - and this is
> > working - it is just the mapping of users to roles that is not
> > happening
>
> No, the server is requesting the certificate information; the
> application is not. From your original posting:
>
>
> On 1/28/23 09:28, Dave Breeze wrote:
>  > There are no security constraints on the apps web.xml.
>
> With no security constraints, the application is not requesting
> authentication. Tomcat therefore does not provide any "authentication
> information" to the application. If the client sends a certificate
> (which is happening at the request of the /server/), then Tomcat will
> forward that certificate information to the application. But it will not
> use it for any kind of authentication or authorization.
>
> > I implemented an org.apache.catalina.realm.X509UsernameRetriever and
> > configured using X509UsernameRetrieverClassName but it was never
> > called. In my servlet, however, I can retrieve the certificates.
>
> That's consistent with your configuration IMO.
>
> You will have to tell your application to use CLIENT-CERT authentication
> if you want Tomcat to parse that cert chain for you, populate the user
> principal, etc.
>
> -chris
>
> > On Sun, 29 Jan 2023 at 22:21, Christopher Schultz
> >  wrote:
> >>
> >> Dave,
> >>
> >> On 1/28/23 09:28, Dave Breeze wrote:
> >>> this is Tomcat 9.0 running embedded
> >>>
> >>> I am trying to authorize access by client certificate. I want the
> >>> servlet response to be tailored to the user's role. In other words I
> >>> am not looking to deny access by role.
> >>>
> >>> The connector has sslCon.setProperty("clientAuth", "required");
> >>> The context has a config file set
> serverAppContext.setConfigFile(contextURL);
> >>> The config file contains
> >>>
> >>> 
> >>> 
> >>>  >>>debug="9"
> >>>pathname="/var/CartS3Server/cartapp/users.xml"/>
> >>> 
> >>>
> >>> users.xml contains
> >>>
> >>> 
> >>> 
> >>> 
> >>> 
> >>>  roles="cart-user"/>
> >>>  roles="cart-admin"/>
> >>> 
> >>>
> >>>
> >>> Certificates are imported into the browser and the browser prompts for
> >>> cert selection.
> >>>
> >>> There are no security constraints on the apps web.xml.
> >>>
> >>> In the servlet there is a test of httpReq.isUserInRole("cart-admin").
> >>> This always fails. Also a req.getUserPrincipal() call always returns
> >>> null. The request does not seem to be authenticated.
> >>   >
> >>> Further in the servlet a X509Certificate[] certs = (X509Certificate[])
> >>> req.getAttribute("javax.servlet.request.X509Certificate") correctly
> >>> returns both the certificate from the browser plus the Cert Auth. A
> >>> getSubjectX500Principal().getName() call on the browser certificate
> >>> returns the cn/o/ou setting that should match with users.xml.
> >>>
> >>> What am I missing here?
> >>
> >> If the application does not request authentication, Tomcat will not
> >> perform if on behalf of the application. If you want a Principal and to
> >> be able to check roles, etc. then you'll need to request CLIENT-CERT
> >> authentication in web.xml (or the embedded equivalent).
> >>
> >> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Re: Tomcat client certicate authentication

2023-01-30 Thread Christopher Schultz

Dave,

On 1/30/23 04:21, Dave Breeze wrote:

Thanks  Chris
the application is requesting certificate authentication - and this is
working - it is just the mapping of users to roles that is not
happening


No, the server is requesting the certificate information; the 
application is not. From your original posting:



On 1/28/23 09:28, Dave Breeze wrote:
> There are no security constraints on the apps web.xml.

With no security constraints, the application is not requesting 
authentication. Tomcat therefore does not provide any "authentication 
information" to the application. If the client sends a certificate 
(which is happening at the request of the /server/), then Tomcat will 
forward that certificate information to the application. But it will not 
use it for any kind of authentication or authorization.



I implemented an org.apache.catalina.realm.X509UsernameRetriever and
configured using X509UsernameRetrieverClassName but it was never
called. In my servlet, however, I can retrieve the certificates.


That's consistent with your configuration IMO.

You will have to tell your application to use CLIENT-CERT authentication 
if you want Tomcat to parse that cert chain for you, populate the user 
principal, etc.


-chris


On Sun, 29 Jan 2023 at 22:21, Christopher Schultz
 wrote:


Dave,

On 1/28/23 09:28, Dave Breeze wrote:

this is Tomcat 9.0 running embedded

I am trying to authorize access by client certificate. I want the
servlet response to be tailored to the user's role. In other words I
am not looking to deny access by role.

The connector has sslCon.setProperty("clientAuth", "required");
The context has a config file set serverAppContext.setConfigFile(contextURL);
The config file contains






users.xml contains










Certificates are imported into the browser and the browser prompts for
cert selection.

There are no security constraints on the apps web.xml.

In the servlet there is a test of httpReq.isUserInRole("cart-admin").
This always fails. Also a req.getUserPrincipal() call always returns
null. The request does not seem to be authenticated.

  >

Further in the servlet a X509Certificate[] certs = (X509Certificate[])
req.getAttribute("javax.servlet.request.X509Certificate") correctly
returns both the certificate from the browser plus the Cert Auth. A
getSubjectX500Principal().getName() call on the browser certificate
returns the cn/o/ou setting that should match with users.xml.

What am I missing here?


If the application does not request authentication, Tomcat will not
perform if on behalf of the application. If you want a Principal and to
be able to check roles, etc. then you'll need to request CLIENT-CERT
authentication in web.xml (or the embedded equivalent).

-chris


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat client certicate authentication

2023-01-30 Thread Dave Breeze
Thanks  Chris
the application is requesting certificate authentication - and this is
working - it is just the mapping of users to roles that is not
happening

I implemented an org.apache.catalina.realm.X509UsernameRetriever and
configured using X509UsernameRetrieverClassName but it was never
called. In my servlet, however, I can retrieve the certificates.

thanks for your help

Dave Breeze
Linkedin:https://uk.linkedin.com/in/dabreeze

On Sun, 29 Jan 2023 at 22:21, Christopher Schultz
 wrote:
>
> Dave,
>
> On 1/28/23 09:28, Dave Breeze wrote:
> > this is Tomcat 9.0 running embedded
> >
> > I am trying to authorize access by client certificate. I want the
> > servlet response to be tailored to the user's role. In other words I
> > am not looking to deny access by role.
> >
> > The connector has sslCon.setProperty("clientAuth", "required");
> > The context has a config file set 
> > serverAppContext.setConfigFile(contextURL);
> > The config file contains
> >
> > 
> > 
> > >   debug="9"
> >   pathname="/var/CartS3Server/cartapp/users.xml"/>
> > 
> >
> > users.xml contains
> >
> > 
> > 
> >
> >
> >
> > > roles="cart-admin"/>
> > 
> >
> >
> > Certificates are imported into the browser and the browser prompts for
> > cert selection.
> >
> > There are no security constraints on the apps web.xml.
> >
> > In the servlet there is a test of httpReq.isUserInRole("cart-admin").
> > This always fails. Also a req.getUserPrincipal() call always returns
> > null. The request does not seem to be authenticated.
>  >
> > Further in the servlet a X509Certificate[] certs = (X509Certificate[])
> > req.getAttribute("javax.servlet.request.X509Certificate") correctly
> > returns both the certificate from the browser plus the Cert Auth. A
> > getSubjectX500Principal().getName() call on the browser certificate
> > returns the cn/o/ou setting that should match with users.xml.
> >
> > What am I missing here?
>
> If the application does not request authentication, Tomcat will not
> perform if on behalf of the application. If you want a Principal and to
> be able to check roles, etc. then you'll need to request CLIENT-CERT
> authentication in web.xml (or the embedded equivalent).
>
> -chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat client certicate authentication

2023-01-29 Thread Christopher Schultz

Dave,

On 1/28/23 09:28, Dave Breeze wrote:

this is Tomcat 9.0 running embedded

I am trying to authorize access by client certificate. I want the
servlet response to be tailored to the user's role. In other words I
am not looking to deny access by role.

The connector has sslCon.setProperty("clientAuth", "required");
The context has a config file set serverAppContext.setConfigFile(contextURL);
The config file contains



   


users.xml contains



   
   
   
   



Certificates are imported into the browser and the browser prompts for
cert selection.

There are no security constraints on the apps web.xml.

In the servlet there is a test of httpReq.isUserInRole("cart-admin").
This always fails. Also a req.getUserPrincipal() call always returns
null. The request does not seem to be authenticated.

>

Further in the servlet a X509Certificate[] certs = (X509Certificate[])
req.getAttribute("javax.servlet.request.X509Certificate") correctly
returns both the certificate from the browser plus the Cert Auth. A
getSubjectX500Principal().getName() call on the browser certificate
returns the cn/o/ou setting that should match with users.xml.

What am I missing here?


If the application does not request authentication, Tomcat will not 
perform if on behalf of the application. If you want a Principal and to 
be able to check roles, etc. then you'll need to request CLIENT-CERT 
authentication in web.xml (or the embedded equivalent).


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Tomcat client certicate authentication

2023-01-28 Thread Dave Breeze
hi
this is Tomcat 9.0 running embedded

I am trying to authorize access by client certificate. I want the
servlet response to be tailored to the user's role. In other words I
am not looking to deny access by role.

The connector has sslCon.setProperty("clientAuth", "required");
The context has a config file set serverAppContext.setConfigFile(contextURL);
The config file contains



  


users.xml contains



  
  
  
  



Certificates are imported into the browser and the browser prompts for
cert selection.

There are no security constraints on the apps web.xml.

In the servlet there is a test of httpReq.isUserInRole("cart-admin").
This always fails. Also a req.getUserPrincipal() call always returns
null. The request does not seem to be authenticated.

Further in the servlet a X509Certificate[] certs = (X509Certificate[])
req.getAttribute("javax.servlet.request.X509Certificate") correctly
returns both the certificate from the browser plus the Cert Auth. A
getSubjectX500Principal().getName() call on the browser certificate
returns the cn/o/ou setting that should match with users.xml.

What am I missing here?


Dave Breeze
Linkedin:https://uk.linkedin.com/in/dabreeze

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org