Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@www.apache.org Received: (qmail 20498 invoked from network); 8 Nov 2004 20:05:09 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 8 Nov 2004 20:05:09 -0000 Received: (qmail 42472 invoked by uid 500); 8 Nov 2004 20:04:52 -0000 Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org Received: (qmail 42316 invoked by uid 500); 8 Nov 2004 20:04:51 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 42261 invoked by uid 99); 8 Nov 2004 20:04:50 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: local policy) Received: from [209.0.86.69] (HELO whiskey.wilshire.com) (209.0.86.69) by apache.org (qpsmtpd/0.28) with ESMTP; Mon, 08 Nov 2004 12:04:48 -0800 Received: from sneezy.wilshire.com (sneezy.wilshire.com [192.168.14.22]) by whiskey.wilshire.com (8.12.3/8.12.3/Debian-6.6) with ESMTP id iA8K4ZZq006358 for ; Mon, 8 Nov 2004 12:04:35 -0800 Received: from bbarkerxp (foundry.wilshire.com [192.168.1.129] (may be forged)) by sneezy.wilshire.com (8.12.9/8.12.3) with SMTP id iA8K2V06019153 for ; Mon, 8 Nov 2004 12:02:31 -0800 (PST) Message-ID: <00f601c4c5ce$3777cef0$cb37a8c0@bbarkerxp> From: "Bill Barker" To: "Tomcat Developers List" References: Subject: Re: org.apache.catalina.authenticator.SSLAutheticator Date: Mon, 8 Nov 2004 12:04:55 -0800 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------=_1099944276-15326-202" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Zantaz-Archived: whiskey X-Scanned-By: MIMEDefang 2.44 X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N ------------=_1099944276-15326-202 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline ----- Original Message ----- From: "Ken Sims" To: Sent: Monday, November 08, 2004 8:25 AM Subject: org.apache.catalina.authenticator.SSLAutheticator >I am curious why SSLAuthenticator does not/cannot compare some attribute >of the client cert with the remote address (requestor)? Without such a >check, it seems to me that certificates are as easily shared as the >credentials used in basic authentication. > There are plenty of tutorials on CLIENT-CERT auth out there. I suggest that you read one :). >Also, why do the realm implementations always return null for >getPrincipal? Couldn't they lookup the user on the users database, >ignoring password, to establish authorized roles? > Usually when you seriously want CLIENT-CERT, you find that you need a custom Realm anyway. There isn't really a one-size-fits-all solution. Where it is implemented in TC (MemoryRealm, and UDBRealm in 5.5.x), it authenticates against the Subject. In a lot of cases, you really only want the CN, or the CN+EMAIL fields. In other cases (e.g. JNDI, JAAS) you might want the entire cert. You can look through BZ for TC 4 to find several examples of proposed implementations. That said, patches are always welcome :). >The combination of these two things seems to me to really limit the >usefulness of client certificate authentication because authentication >provides little guarantee of who the client is, and even if it did, the >client is denied access to any protected resources. > This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail. ------------=_1099944276-15326-202 Content-Type: text/plain; charset=us-ascii --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org ------------=_1099944276-15326-202--