tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: Client certificates Tomcat 4
Date Mon, 05 Nov 2001 16:38:37 GMT


On Mon, 5 Nov 2001, Antony Bowesman wrote:

> Date: Mon, 05 Nov 2001 14:59:31 +0200
> From: Antony Bowesman <adb@teamware.com>
> Reply-To: Tomcat Developers List <tomcat-dev@jakarta.apache.org>
> To: TomcatDev <tomcat-dev@jakarta.apache.org>
> Subject: Client certificates Tomcat 4
>
> Hi Craig, (or anyone else)
>
> Seem to be some issues with Tomcat 4 and client authentication.
>
> * CLIENT-CERT only requests certificates if using SSL - i.e. if not
> using SSL when trying to access a protected resource it gives the
> message
>
> HTTP Status 400 - No client certificate chain in this request
>

CLIENT-CERT authentication is an implicit requirement to run across an SSL
enabled link, because that's the only way you can send certificates to the
container.  Therefore, every non-SSL request to a URL protected by
CLIENT-CERT based authentication *should* throw an error.

> * If using SSL then the first access to any page causes the browser to
> request the certificate.  Access to a protected page then causes the
> BASIC authentication box to be displayed and authentication to fail.
> This is because all the Realm implementations to return null in the
> getPrincipal() method.
>
> The default implementation of the authenticate(certs) in RealmBase.java
> calls getPrincipal(certs[0].getSubjectDN().getName()).  So, it looks
> like that CLIENT-CERTS, as far as Tomcat is concerned, is simply a
> mechanism to authenticate the client machine rather than the individual
> operating the machine.   Can this be true??
>
> Surely then CLIENT-CERTS is less secure than using simple form based
> authentication over SSL.
>
> Isn't it so that there should be some kind of challenge/response
> mechanism that should enable the server to verify the user as well as
> authenticating the certificate.
>

Tomcat does the following processing for CLIENT-CERT authentication:
* Challenge the client for a certificate chain if necessary
* Call the Realm.authenticate() method that takes a certificate
  chain as the parameter
* Optionally, check the validity of the certificate chain
* Call getPrincipal() on the subject name and return that.

Thus, to properly authenticate, you must ensure that there is a
username in your Realm that matches the subject name.  It's not good
enough to have a valid certificate chain - it must be a also user that
*you* accept.

> Rgds
> --
> Antony Bowesman

Craig


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message