Hello Dave,

> -----Urspr√ľngliche Nachricht-----
> Von: Dave Breeze <dave.bre...@gmail.com>
> Gesendet: Mittwoch, 1. Februar 2023 12:17
> An: Tomcat Users List <users@tomcat.apache.org>
> Betreff: Re: Tomcat client certicate authentication
> 
> Chris
> thanks for your mail
> Apologies for confusion. Yes I am requesting certificates
> - sslCon.setProperty("clientAuth", "required") and a user can only connect by
> supplying a valid certificate.
> 
> I removed constraints from the web.xml as I did not want access to a servlet
> restricted to a role - I need the servlet to respond differently based on 
> role.
> what I have decided to do in the servlet is to retrieve the user-id from the
> certificate and determine their role by using a security product native to the
> platform on which Tomcat is running
> 
> Thanks for your help.
> 
> Dave Breeze
> Linkedin:https://uk.linkedin.com/in/dabreeze
> 

I think you need constraints in your web.xml. Otherwise Tomcat won't ask for 
authentication.
Something like:

     <security-constraint>
         <web-resource-collection>
             <web-resource-name>protected area</web-resource-name>
             <url-pattern>/*</url-pattern>
         </web-resource-collection>

         <auth-constraint>
             <role-name>my-role</role-name>
         </auth-constraint>

         <user-data-constraint>
             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
         </user-data-constraint>
     </security-constraint>

     <security-role>
         <role-name>my-role</role-name>
     </security-role>

Otherwise the user is treated as an anonymous user without any identity.

Greetings, Thomas

> 
> On Mon, 30 Jan 2023 at 15:41, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
> 
> > Dave,
> >
> > On 1/30/23 04:21, Dave Breeze wrote:
> > > Thanks  Chris
> > > the application is requesting certificate authentication - and this
> > > is working - it is just the mapping of users to roles that is not
> > > happening
> >
> > No, the server is requesting the certificate information; the
> > application is not. From your original posting:
> >
> >
> > On 1/28/23 09:28, Dave Breeze wrote:
> >  > There are no security constraints on the apps web.xml.
> >
> > With no security constraints, the application is not requesting
> > authentication. Tomcat therefore does not provide any "authentication
> > information" to the application. If the client sends a certificate
> > (which is happening at the request of the /server/), then Tomcat will
> > forward that certificate information to the application. But it will
> > not use it for any kind of authentication or authorization.
> >
> > > I implemented an org.apache.catalina.realm.X509UsernameRetriever
> and
> > > configured using X509UsernameRetrieverClassName but it was never
> > > called. In my servlet, however, I can retrieve the certificates.
> >
> > That's consistent with your configuration IMO.
> >
> > You will have to tell your application to use CLIENT-CERT
> > authentication if you want Tomcat to parse that cert chain for you,
> > populate the user principal, etc.
> >
> > -chris
> >
> > > On Sun, 29 Jan 2023 at 22:21, Christopher Schultz
> > > <ch...@christopherschultz.net> wrote:
> > >>
> > >> Dave,
> > >>
> > >> On 1/28/23 09:28, Dave Breeze wrote:
> > >>> this is Tomcat 9.0 running embedded
> > >>>
> > >>> I am trying to authorize access by client certificate. I want the
> > >>> servlet response to be tailored to the user's role. In other words
> > >>> I am not looking to deny access by role.
> > >>>
> > >>> The connector has sslCon.setProperty("clientAuth", "required");
> > >>> The context has a config file set
> > serverAppContext.setConfigFile(contextURL);
> > >>> The config file contains
> > >>>
> > >>> <?xml version="1.0" encoding="UTF-8"?> <Context>
> > >>>     <Realm className="org.apache.catalina.realm.MemoryRealm"
> > >>>            debug="9"
> > >>>            pathname="/var/CartS3Server/cartapp/users.xml"/>
> > >>> </Context>
> > >>>
> > >>> users.xml contains
> > >>>
> > >>> <?xml version='1.0' encoding='utf-8'?> <tomcat-users>
> > >>>     <role rolename="cart-admin"/>
> > >>>     <role rolename="cart-user"/>
> > >>>     <user username="CN=TTSDB1,OU=CART,O=CART" password=""
> > roles="cart-user"/>
> > >>>     <user username="CN=TTSDB2,OU=CART,O=CART" password=""
> > roles="cart-admin"/>
> > >>> </tomcat-users>
> > >>>
> > >>>
> > >>> Certificates are imported into the browser and the browser prompts
> > >>> for cert selection.
> > >>>
> > >>> There are no security constraints on the apps web.xml.
> > >>>
> > >>> In the servlet there is a test of httpReq.isUserInRole("cart-admin").
> > >>> This always fails. Also a req.getUserPrincipal() call always
> > >>> returns null. The request does not seem to be authenticated.
> > >>   >
> > >>> Further in the servlet a X509Certificate[] certs =
> > >>> (X509Certificate[])
> > >>> req.getAttribute("javax.servlet.request.X509Certificate")
> > >>> correctly returns both the certificate from the browser plus the
> > >>> Cert Auth. A
> > >>> getSubjectX500Principal().getName() call on the browser
> > >>> certificate returns the cn/o/ou setting that should match with
> users.xml.
> > >>>
> > >>> What am I missing here?
> > >>
> > >> If the application does not request authentication, Tomcat will not
> > >> perform if on behalf of the application. If you want a Principal
> > >> and to be able to check roles, etc. then you'll need to request
> > >> CLIENT-CERT authentication in web.xml (or the embedded equivalent).
> > >>
> > >> -chris
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >

Reply via email to