Dave,
On 1/28/23 09:28, Dave Breeze wrote:
this is Tomcat 9.0 running embedded
I am trying to authorize access by client certificate. I want the
servlet response to be tailored to the user's role. In other words I
am not looking to deny access by role.
The connector has sslCon.setProperty("clientAuth", "required");
The context has a config file set serverAppContext.setConfigFile(contextURL);
The config file contains
<?xml version="1.0" encoding="UTF-8"?>
<Context>
<Realm className="org.apache.catalina.realm.MemoryRealm"
debug="9"
pathname="/var/CartS3Server/cartapp/users.xml"/>
</Context>
users.xml contains
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="cart-admin"/>
<role rolename="cart-user"/>
<user username="CN=TTSDB1,OU=CART,O=CART" password="" roles="cart-user"/>
<user username="CN=TTSDB2,OU=CART,O=CART" password="" roles="cart-admin"/>
</tomcat-users>
Certificates are imported into the browser and the browser prompts for
cert selection.
There are no security constraints on the apps web.xml.
In the servlet there is a test of httpReq.isUserInRole("cart-admin").
This always fails. Also a req.getUserPrincipal() call always returns
null. The request does not seem to be authenticated.
>
Further in the servlet a X509Certificate[] certs = (X509Certificate[])
req.getAttribute("javax.servlet.request.X509Certificate") correctly
returns both the certificate from the browser plus the Cert Auth. A
getSubjectX500Principal().getName() call on the browser certificate
returns the cn/o/ou setting that should match with users.xml.
What am I missing here?
If the application does not request authentication, Tomcat will not
perform if on behalf of the application. If you want a Principal and to
be able to check roles, etc. then you'll need to request CLIENT-CERT
authentication in web.xml (or the embedded equivalent).
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org