2014-10-03 17:42 GMT+02:00 Nathan Quirynen <nat...@pensionarchitects.be>:
>
> On 02/10/14 19:00, Christopher Schultz wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Nathan,
>
> On 10/1/14 12:16 PM, Nathan Quirynen wrote:
>
> On 01/10/14 18:08, Christopher Schultz wrote: Nathan,
>
> On 10/1/14 10:02 AM, Nathan Quirynen wrote:
>
> Hi Tomcat users,
>
> A current application has client authentication configured in
> the SSL Connector (server.xml):
>
> <Connector port="8443" ... clientAuth="true"
> keystoreFile=".keystore" keystorePass="..."
> truststoreFile=".truststore" truststorePass="..." />
>
> And the CA root certificates have been added to the
> truststore.
>
> This way it asks for a client certificate in any case, which
> works and is fine for this application. For a new application
> the use case is a bit different. I only need client
> authentication for a specific defined path (for example:
> /secured/*). After some research I found this was possible
> with defining this on application level in the web.xml file.
> So I changed my configuration to:
>
> server.xml:
>
> <Connector port="8443" ... clientAuth="false"
> keystoreFile=".keystore" keystorePass="..."
> truststoreFile=".truststore" truststorePass="..." />
>
> web.xml:
>
> <security-constraint> <web-resource-collection>
> <web-resource-name>Secureconn</web-resource-name>
> <url-pattern>/secured/*</url-pattern>
> <http-method>GET</http-method> </web-resource-collection>
> <auth-constraint> <role-name>secureconn</role-name>
> </auth-constraint> </security-constraint> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> <realm-name>Secureconn</realm-name> </login-config>
> <security-role> <role-name>secureconn</role-name>
> </security-role>
>
>
> In this case it actually only asks for client authentication
> when going to for example "secured/home" page. But I'm
> getting a 401 message code.
>
> What am I missing to get people authenticated based on the CA
> root certificates that are in the configured truststore? Is
> it even possible what I am trying?
>
> What happens if you change clientAuth="false" to
> clientAuth="want"?
>
> -chris
>
> ---------------------------------------------------------------------
>
>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> Hey Chris,
>
> If I change it to want I still get the same error:
>
> HTTP Status 401 - Cannot authenticate with the provided
> credentials
>
> So just to be sure, the only difference between the application you
> have that is working and the one that is not working is that you have
> a different <url-pattern> in your web.xml?
>
> Generally speaking, Tomcat will authenticate the client certificate
> just using the configuration at the <Connector> level. Using
> CLIENT-CERT in the application is used for application credentials --
> such as establishing roles to be used with role-based permissions.
>
> Do you intend to use role-based permissions and all that other stuff,
> or do you just want to make sure that the client has a valid certificate?
>
> If you just want to make sure that the certificate is valid, then you
> want to use clientAuth="want" and remove the configuration you have
> from web.xml. Next, you will need to write a Filter that grabs the
> X509 certificate from the request and does manual checking.
>
> You might be able to get some help from a series of posts I wrote a
> few years ago about manually-handling X509 certificates:
> http://markmail.org/message/kzxsamuiu6bldjmv
>
> Hope that helps,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJULYSZAAoJEBzwKT+lPKRYorwP/1GT+aPdAK5Vu2piCp+4ZDXQ
> kGm42DzD0FBM8oKI2vgPj/hvOTEYC+e7EndxxUbhaSoek0O71hlEeWfnhrCt3lNs
> xKHBhwXHeVwxOkSHsjZKfzHqoJgHhMBBVU5rQHQ1mwIT71bayNSYVuG/QRZFffoM
> lef1YTql+jt+LOgfJauD/yozYG2fblEMMEcUWfBtpruEFVns6Vu2m5vwKwn7si2K
> 13SjiqoULIOf6FkiKXiCewXACq98KLbjo21m5SkUNDgFiE6wWquOX/uyQBBP8n+p
> B2H6b6YlQAj1KOBtH+yd+0vnW6BwjI9ZxHDfT7t8Ii1zBwUDFj3QZOJ5RXFwteQR
> cFjJXxmRliD/EuEfjZuHD5U9d51Eq44RU6p3/8cuIg90gx8fPYBULJimXRX6v4ca
> EdTmqnJyxZeh2WoNAY2k+24OxwwxKSZUErxm0biBAy/wcqT1O1ePkaCI6YQx1Vkj
> TnHxleVWvr2FpZDp1apmTcgzP0gBnD6fOG8ltf8Nqe/Ax4l6nhdK3Q19YLTt2Q2z
> IKX7oUOYru0GNuICtsNYz0EprzdMxnv28v3SBYLSfHln9J5WWtfBeOlKxMPmP0Fg
> ZJG/X/zUUC2IxDNe6u7ZdZr/vqxDLyZxc74ugiVIxveutzrXOHdxnPRIzbEXjYIC
> umadSoe7yZwlcEAAQFG/
> =bMuo
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> Yes that's what I want. But when I set clientAuth to "want" it asks for the
> client certificate on every path, which I don't want... I only want client
> authentication on the specified path.
> I'm wondering if I can solve what I need with Tomcat alone. Maybe I should
> put Apache in front?
One way you could do it would be to :
- set clientAuth="false" in your connector
- add the security-constraint as you did except for the security-role :
<security-role>
<role-name>*</role-name>
</security-role>
As said before, this will add the SSLAuthenticator which will ask for
a certificate if not present (at the cost of one round trip), and
validate that certificate on the realm for the context.
Then you have to add a realm which does nothing else than return true
with any certificate, by coding your own realm implementation,
something like :
public class MyRealm extends NullRealm{
@Override
protected Principal getPrincipal(X509Certificate certificate) {
return new GenericPrincipal(certificate.getSubjectDN,null);
}
}
Then, in your context.xml file (META-INF/context.xml or
conf/Catalina/localhost/appname.xml), add that custom realm :
<Context>
<Realm className="my.package.MyRealm" validate="true" allRolesMode="authOnly"/>
</Context>
With this, the SSLAuthenticator should call your Realm and get a
principal with the subjectDN as principal name and no roles.
validate="true" will validate the client certificate.
allRolesMode="authOnly" should tell tomcat to not verify any roles
(this works with the * in security-role)
This should do what you want, but there may be some security
implication I did not see, or a much simpler way to get what you want.
Good luck,
--
Cédric
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
