On 2/1/23 06:17, Dave Breeze wrote:
thanks for your mail
Apologies for confusion. Yes I am requesting certificates
- sslCon.setProperty("clientAuth", "required") and a user can only connect
by supplying a valid certificate.

I removed constraints from the web.xml as I did not want access to a
servlet restricted to a role - I need the servlet to respond
differently based on role.

You can set the role in your security-constraint to '*' which means "any authenticated user regardless of role."

what I have decided to do in the servlet is to retrieve the user-id from the certificate and determine their role by using a security
product native to the platform on which Tomcat is running
Hope that helps,

On Mon, 30 Jan 2023 at 15:41, Christopher Schultz <
ch...@christopherschultz.net> wrote:


On 1/30/23 04:21, Dave Breeze wrote:
Thanks  Chris
the application is requesting certificate authentication - and this is
working - it is just the mapping of users to roles that is not

No, the server is requesting the certificate information; the
application is not. From your original posting:

On 1/28/23 09:28, Dave Breeze wrote:
  > There are no security constraints on the apps web.xml.

With no security constraints, the application is not requesting
authentication. Tomcat therefore does not provide any "authentication
information" to the application. If the client sends a certificate
(which is happening at the request of the /server/), then Tomcat will
forward that certificate information to the application. But it will not
use it for any kind of authentication or authorization.

I implemented an org.apache.catalina.realm.X509UsernameRetriever and
configured using X509UsernameRetrieverClassName but it was never
called. In my servlet, however, I can retrieve the certificates.

That's consistent with your configuration IMO.

You will have to tell your application to use CLIENT-CERT authentication
if you want Tomcat to parse that cert chain for you, populate the user
principal, etc.


On Sun, 29 Jan 2023 at 22:21, Christopher Schultz
<ch...@christopherschultz.net> wrote:


On 1/28/23 09:28, Dave Breeze wrote:
this is Tomcat 9.0 running embedded

I am trying to authorize access by client certificate. I want the
servlet response to be tailored to the user's role. In other words I
am not looking to deny access by role.

The connector has sslCon.setProperty("clientAuth", "required");
The context has a config file set
The config file contains

<?xml version="1.0" encoding="UTF-8"?>
     <Realm className="org.apache.catalina.realm.MemoryRealm"

users.xml contains

<?xml version='1.0' encoding='utf-8'?>
     <role rolename="cart-admin"/>
     <role rolename="cart-user"/>
     <user username="CN=TTSDB1,OU=CART,O=CART" password=""
     <user username="CN=TTSDB2,OU=CART,O=CART" password=""

Certificates are imported into the browser and the browser prompts for
cert selection.

There are no security constraints on the apps web.xml.

In the servlet there is a test of httpReq.isUserInRole("cart-admin").
This always fails. Also a req.getUserPrincipal() call always returns
null. The request does not seem to be authenticated.
Further in the servlet a X509Certificate[] certs = (X509Certificate[])
req.getAttribute("javax.servlet.request.X509Certificate") correctly
returns both the certificate from the browser plus the Cert Auth. A
getSubjectX500Principal().getName() call on the browser certificate
returns the cn/o/ou setting that should match with users.xml.

What am I missing here?

If the application does not request authentication, Tomcat will not
perform if on behalf of the application. If you want a Principal and to
be able to check roles, etc. then you'll need to request CLIENT-CERT
authentication in web.xml (or the embedded equivalent).


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to