Thanks Chris the application is requesting certificate authentication - and this is working - it is just the mapping of users to roles that is not happening
I implemented an org.apache.catalina.realm.X509UsernameRetriever and configured using X509UsernameRetrieverClassName but it was never called. In my servlet, however, I can retrieve the certificates. thanks for your help Dave Breeze Linkedin:https://uk.linkedin.com/in/dabreeze On Sun, 29 Jan 2023 at 22:21, Christopher Schultz <ch...@christopherschultz.net> wrote: > > Dave, > > On 1/28/23 09:28, Dave Breeze wrote: > > this is Tomcat 9.0 running embedded > > > > I am trying to authorize access by client certificate. I want the > > servlet response to be tailored to the user's role. In other words I > > am not looking to deny access by role. > > > > The connector has sslCon.setProperty("clientAuth", "required"); > > The context has a config file set > > serverAppContext.setConfigFile(contextURL); > > The config file contains > > > > <?xml version="1.0" encoding="UTF-8"?> > > <Context> > > <Realm className="org.apache.catalina.realm.MemoryRealm" > > debug="9" > > pathname="/var/CartS3Server/cartapp/users.xml"/> > > </Context> > > > > users.xml contains > > > > <?xml version='1.0' encoding='utf-8'?> > > <tomcat-users> > > <role rolename="cart-admin"/> > > <role rolename="cart-user"/> > > <user username="CN=TTSDB1,OU=CART,O=CART" password="" roles="cart-user"/> > > <user username="CN=TTSDB2,OU=CART,O=CART" password="" > > roles="cart-admin"/> > > </tomcat-users> > > > > > > Certificates are imported into the browser and the browser prompts for > > cert selection. > > > > There are no security constraints on the apps web.xml. > > > > In the servlet there is a test of httpReq.isUserInRole("cart-admin"). > > This always fails. Also a req.getUserPrincipal() call always returns > > null. The request does not seem to be authenticated. > > > > Further in the servlet a X509Certificate[] certs = (X509Certificate[]) > > req.getAttribute("javax.servlet.request.X509Certificate") correctly > > returns both the certificate from the browser plus the Cert Auth. A > > getSubjectX500Principal().getName() call on the browser certificate > > returns the cn/o/ou setting that should match with users.xml. > > > > What am I missing here? > > If the application does not request authentication, Tomcat will not > perform if on behalf of the application. If you want a Principal and to > be able to check roles, etc. then you'll need to request CLIENT-CERT > authentication in web.xml (or the embedded equivalent). > > -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
