On 02/10/14 19:00, Christopher Schultz wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Nathan, > > On 10/1/14 12:16 PM, Nathan Quirynen wrote: >> On 01/10/14 18:08, Christopher Schultz wrote: Nathan, >> >> On 10/1/14 10:02 AM, Nathan Quirynen wrote: >>>>> Hi Tomcat users, >>>>> >>>>> A current application has client authentication configured in >>>>> the SSL Connector (server.xml): >>>>> >>>>> <Connector port="8443" ... clientAuth="true" >>>>> keystoreFile=".keystore" keystorePass="..." >>>>> truststoreFile=".truststore" truststorePass="..." /> >>>>> >>>>> And the CA root certificates have been added to the >>>>> truststore. >>>>> >>>>> This way it asks for a client certificate in any case, which >>>>> works and is fine for this application. For a new application >>>>> the use case is a bit different. I only need client >>>>> authentication for a specific defined path (for example: >>>>> /secured/*). After some research I found this was possible >>>>> with defining this on application level in the web.xml file. >>>>> So I changed my configuration to: >>>>> >>>>> server.xml: >>>>> >>>>> <Connector port="8443" ... clientAuth="false" >>>>> keystoreFile=".keystore" keystorePass="..." >>>>> truststoreFile=".truststore" truststorePass="..." /> >>>>> >>>>> web.xml: >>>>> >>>>> <security-constraint> <web-resource-collection> >>>>> <web-resource-name>Secureconn</web-resource-name> >>>>> <url-pattern>/secured/*</url-pattern> >>>>> <http-method>GET</http-method> </web-resource-collection> >>>>> <auth-constraint> <role-name>secureconn</role-name> >>>>> </auth-constraint> </security-constraint> <login-config> >>>>> <auth-method>CLIENT-CERT</auth-method> >>>>> <realm-name>Secureconn</realm-name> </login-config> >>>>> <security-role> <role-name>secureconn</role-name> >>>>> </security-role> >>>>> >>>>> >>>>> In this case it actually only asks for client authentication >>>>> when going to for example "secured/home" page. But I'm >>>>> getting a 401 message code. >>>>> >>>>> What am I missing to get people authenticated based on the CA >>>>> root certificates that are in the configured truststore? Is >>>>> it even possible what I am trying? >> What happens if you change clientAuth="false" to >> clientAuth="want"? >> >> -chris >>> --------------------------------------------------------------------- >>> >>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> Hey Chris, >> >> If I change it to want I still get the same error: >> >> HTTP Status 401 - Cannot authenticate with the provided >> credentials > So just to be sure, the only difference between the application you > have that is working and the one that is not working is that you have > a different <url-pattern> in your web.xml? > > Generally speaking, Tomcat will authenticate the client certificate > just using the configuration at the <Connector> level. Using > CLIENT-CERT in the application is used for application credentials -- > such as establishing roles to be used with role-based permissions. > > Do you intend to use role-based permissions and all that other stuff, > or do you just want to make sure that the client has a valid certificate? > > If you just want to make sure that the certificate is valid, then you > want to use clientAuth="want" and remove the configuration you have > from web.xml. Next, you will need to write a Filter that grabs the > X509 certificate from the request and does manual checking. > > You might be able to get some help from a series of posts I wrote a > few years ago about manually-handling X509 certificates: > http://markmail.org/message/kzxsamuiu6bldjmv > > Hope that helps, > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJULYSZAAoJEBzwKT+lPKRYorwP/1GT+aPdAK5Vu2piCp+4ZDXQ > kGm42DzD0FBM8oKI2vgPj/hvOTEYC+e7EndxxUbhaSoek0O71hlEeWfnhrCt3lNs > xKHBhwXHeVwxOkSHsjZKfzHqoJgHhMBBVU5rQHQ1mwIT71bayNSYVuG/QRZFffoM > lef1YTql+jt+LOgfJauD/yozYG2fblEMMEcUWfBtpruEFVns6Vu2m5vwKwn7si2K > 13SjiqoULIOf6FkiKXiCewXACq98KLbjo21m5SkUNDgFiE6wWquOX/uyQBBP8n+p > B2H6b6YlQAj1KOBtH+yd+0vnW6BwjI9ZxHDfT7t8Ii1zBwUDFj3QZOJ5RXFwteQR > cFjJXxmRliD/EuEfjZuHD5U9d51Eq44RU6p3/8cuIg90gx8fPYBULJimXRX6v4ca > EdTmqnJyxZeh2WoNAY2k+24OxwwxKSZUErxm0biBAy/wcqT1O1ePkaCI6YQx1Vkj > TnHxleVWvr2FpZDp1apmTcgzP0gBnD6fOG8ltf8Nqe/Ax4l6nhdK3Q19YLTt2Q2z > IKX7oUOYru0GNuICtsNYz0EprzdMxnv28v3SBYLSfHln9J5WWtfBeOlKxMPmP0Fg > ZJG/X/zUUC2IxDNe6u7ZdZr/vqxDLyZxc74ugiVIxveutzrXOHdxnPRIzbEXjYIC > umadSoe7yZwlcEAAQFG/ > =bMuo > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > Yes that's what I want. But when I set clientAuth to "want" it asks for the client certificate on every path, which I don't want... I only want client authentication on the specified path. I'm wondering if I can solve what I need with Tomcat alone. Maybe I should put Apache in front?
Nathan -- Een klare kijk op aanvullende pensioenen *Nathan Quirynen* 03 340 04 60 | 0494 28 45 15 nat...@pensionarchitects.be <mailto:nat...@pensionarchitects.be> Follow us on Web <http://www.pensionarchitects.be> | Twitter <http://www.twitter.com/pen_arch> | LinkedIn <http://www.linkedin.com/company/pension-architects> | RSS <http://feeds.feedburner.com/pensionarchitects> | YouTube <http://www.youtube.com/pensionarchitects>