The important files are:
server.xml:
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="100" debug="0" scheme="https" secure="true"
useURIValidationHack="false" disableUploadTimeout="true">
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
keystoreFile="conf/.keystore"
clientAuth="false" protocol="TLS" />
</Connector>
...
<Realm className="org.apache.catalina.realm.MemoryRealm" />
tomcat-users.xml:
<user username="CN=Mark Thomas, OU=WWW, O=XXX, L=YYY, ST=ZZZ, C=GB"
password="null" roles="tomcat,certs"/>
web.xml:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd";>
<web-app>
<display-name>Bug 12218</display-name>
<description>
Test web app for bug 12218.
</description>
<security-constraint>
<web-resource-collection>
<web-resource-name>App</web-resource-name>
<url-pattern>/protected.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<role-name>tomcat</role-name>
</security-role>
</web-app>
The steps I tend to follow when setting this sort of thing up are:
1. Build simple two page web app.
2. Configure one page to require basic authentication
3. Test basic auth - checks tomcat-users.xml and realm set up correctly
4. Configure SSL
5. Test http://localhost:8443/ - checks SSL set up
6. Test app with SSL - not really necessary but best to double check
7. Reconfigure app to use CLIENT-CERT
> -----Original Message-----
> From: Idoia Murua Belacortu [mailto:[EMAIL PROTECTED]
> Sent: Thursday, March 18, 2004 8:01 AM
> To: Tomcat Users List
> Subject: RE: tomcat certificate
>
>
> Could you send us a sample of that "web.xml" file?
> I am also using client certificates over SSL with Tomcat,
> but as I could
> not find much information about it in Tomcat I configured it
> with Apache.
>
> Idoia
>
>
>
>
>
> "Mark Thomas"
>
>
> <[EMAIL PROTECTED] Para:
> "'Tomcat Users List'" <[EMAIL PROTECTED]>
>
> > cc:
>
>
> Asunto: RE:
> tomcat certificate
>
> 17/03/04 21:22
>
>
> Por favor,
>
>
> responda a
>
>
> "Tomcat Users
>
>
> List"
>
>
>
>
>
>
>
>
>
>
>
> This is not correct. Tomcat does support CLIENT-CERT authentication
> 'out-of-the-box'. When combined with appropriate
> authorisation constraints
> in
> web.xml you can limit access to specific URLs.
>
> I have this working quite happily.
>
> Mark
>
> > -----Original Message-----
> > From: Rommel Sharma [mailto:[EMAIL PROTECTED]
> > Sent: Monday, February 23, 2004 11:28 AM
> > To: Tomcat Users List
> > Subject: Re: tomcat certificate
> >
> > Tomcat as such on its own does not parse and validate a certificate.
> > I don't think its possible. You can identify a client through the
> > certificate alias the client uses.
> > Access to specific URLs depends on the server certificate
> > where you specify
> > the URL and send the client your public key.
> > I think there is no automatic mechanism in Tomcat that studies the
> > certificate and allows access to specific URLs. This needs to
> > be implemented
> > by any our deployed programs.
> >
> > ----- Original Message -----
> > From: "secam secam" <[EMAIL PROTECTED]>
> > To: "Tomcat Users List" <[EMAIL PROTECTED]>
> > Sent: Monday, February 23, 2004 4:17 PM
> > Subject: Re: tomcat certificate
> >
> > > Thanks,
> > >
> > > Here is my real problem,
> > >
> > > I've got an external server that authentificate user and deliver a
> > certicate with the trio User/Group/Role.
> > >
> > > In fact, i just want that the certificate give information
> > of the user to
> > tomcat in order to permit the access to some specifics url.
> > >
> > > Is it possible?
> > >
> > > Regard's
> > >
> > > Secam
> > >
> > > Rommel Sharma <[EMAIL PROTECTED]> wrote:
> > > If you mean two way authentication using SSL, then you have
> > to write the
> > > code that reads clients certificate and matches it with one
> > present in
> > > client keystore on the server. You enable client authentication in
> > > server.xml for this and specify the serverkeystore and
> > password in it.
> > > Regards,
> > > Rommel Sharma.
> > >
> > > ----- Original Message -----
> > > From: "secam secam"
> > > To:
> > > Sent: Monday, February 23, 2004 3:30 PM
> > > Subject: tomcat certificate
> > >
> > > > hello,
> > > >
> > > > I'm a new user of tomcat.
> > > > Can tomcat authenticate a user with a certifcate ?
> > > >
> > > > Thanks,
> > > > Secam
> > > >
> > > >
> > > > ---------------------------------
> > > > Yahoo! Mail : votre e-mail personnel et gratuit qui vous
> > suit partout !
> > > > Cr�ez votre Yahoo! Mail
> > >
> > > *********************************************************
> > > Disclaimer
> > >
> > > This message (including any attachments) contains
> > > confidential information intended for a specific
> > > individual and purpose, and is protected by law.
> > > If you are not the intended recipient, you should
> > > delete this message and are hereby notified that
> > > any disclosure, copying, or distribution of this
> > > message, or the taking of any action based on it,
> > > is strictly prohibited.
> > >
> > > *********************************************************
> > > Visit us at http://www.mahindrabt.com
> > >
> > >
> > >
> > >
> > >
> >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail:
> [EMAIL PROTECTED]
> > >
> > >
> > > ---------------------------------
> > > Yahoo! Mail : votre e-mail personnel et gratuit qui vous
> > suit partout !
> > > Cr�ez votre Yahoo! Mail
> >
> > *********************************************************
> > Disclaimer
> >
> > This message (including any attachments) contains
> > confidential information intended for a specific
> > individual and purpose, and is protected by law.
> > If you are not the intended recipient, you should
> > delete this message and are hereby notified that
> > any disclosure, copying, or distribution of this
> > message, or the taking of any action based on it,
> > is strictly prohibited.
> >
> > *********************************************************
> > Visit us at http://www.mahindrabt.com
> >
> >
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
> Idoia Murua Belacortu
> Dpto. de Sistemas de Informaci�n y Telecomunicaciones
> Information Systems & Telecommunications Dept.
> ROBOTIKER, Corporaci�n Tecnol�gica TECNALIA.
> Parque Tecnol�gico, Edificio 202. E-48170 Zamudio (Bizkaia) (SPAIN).
> Tel: (34) 94 600 22 66. Fax: (34) 94 600 22 99
> [EMAIL PROTECTED], www.robotiker.com
>
> "Este correo electr�nico contiene informaci�n privada
> que puede estar
> legalmente protegida, parcial o totalmente. Es s�lo
> para uso del
> destinatario al que est� dirigido. Si ha recibido este
> mensaje por error,
> le rogamos que lo notifique al remitente del email y que
> adem�s borre de su
> sistema el mensaje as� como todas sus copias,
> incluyendo las posibles
> copias del mismo en su disco duro, y se abstenga de
> usar, revelar,
> distribuir a terceros, imprimir o copiar ninguna de las
> partes de este
> mensaje".
> "Mezu elektroniko honek informazio pribatua du, partzialki
> edo osorik legez
> babestuta egon daitekeena. Bidali nahi zaion
> hartzaileak erabiltzeko
> bakarrik da. Mezu hau hutsegite baten ondorioz jaso
> baduzu, mesedez,
> mezuaren igorleari jakinaraztea eta mezua eta horren
> kopia guztiak
> ezabatzea eskatzen dizugu, disko gogorrean izan
> ditzakezunak barne. Eta,
> orobat, ez erabili mezu honen zatirik, ez eta erakutsi,
> beste pertsona
> batzuei banatu, inprimatu edo berridatzi ere".
> "This e-mail contains proprietary information some or all
> of which may be
> legally protected. It is for sole use of the intended
> recipient only. If
> you have received this message by mistake, you are requested
> to notify the
> e-mail sender and erase both the message and any copies
> from your system,
> including hard disk copies. You are further requested
> to refrain from
> using, distributing to third parties, printing or making
> copies of any
> parts of this message".
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
