tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Dockery" <s...@sbdconsultants.com>
Subject Re: help with client certificates
Date Tue, 11 Feb 2003 18:57:46 GMT
Let me see if I understand what problem you are experiencing...

By not having role-names, CLIENT-CERT authentication is not being enforced?
Is that what you mean?

Sean Dockery
sean@sbdconsultants.com
Certified Java Web Component Developer
Certified Delphi Programmer
SBD Consultants
http://www.sbdconsultants.com

----- Original Message -----
From: "Tony Dahbura" <tony@loudcloud.com>
To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Sent: Tuesday, February 11, 2003 10:57
Subject: Re: help with client certificates


> Sean:
> This matches my xml file to a tea except I also have:
> <login-config>
>   <auth-method>CLIENT-CERT</auth-method>
>  </login-config>
>
> The problem I am trying to solve is the fact that I do not have any
> role-names.  I need to have the application request a certificate from the
user
> when they hit a servlet and just accept it.  I basically want to blindly
let a
> user in but require them to present a certificate.  The purpose of the
> application I am writing needs to access data within the certificate and I
do
> not know who the users are until they present the certificate and I can
grab
> some data from it.
>
> I need to simulate the actions of the clientAuth="true" on a connector
factory
> (it blindly lets you in but forces a certificate to present).  Reason this
> cannot be used is some of the application needs the cert and some does
> not.......
>
> Hope this explains it!
>
> Tony
>
>
> Sean Dockery wrote:
>
> > In your web.xml...
> >
> > <security-constraint>
> > <web-resource-collection>
> >   <web-resource-name>MySecurityRestriction</web-resource-name>
> >   <description>Protect the resource.</description>
> >   <url-pattern>/ServletUrlPattern</url-pattern>
> >   <http-method>GET</http-method>
> >   <http-method>POST</http-method>
> > </web-resource-collection>
> > <auth-constraint>
> >   <description>Authorized Users Group</description>
> > <!-- no role names means no authentication required for this
resource -->
> > <!--
> >   <role-name>manager</role-name>
> >   <role-name>users</role-name>
> > -->
> > </auth-constraint>
> > <user-data-constraint>
> > <!-- transport-guarantee must be one of NONE, INTEGRAL, or
CONFIDENTIAL -->
> >   <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > </user-data-constraint>
> > </security-constraint>
> >
> > Google for "transport-guarantee web.xml" on the web.
> >
> > Simulating a logout in some servlet code...
> >
> > ...
> >
> > HttpSession session = request.getSession(false);
> >
> > /*
> >   if there is any information in the session that you want to keep (such
as
> >   a locale override), grab a reference to it here...
> > */
> >
> > if(session != null)
> >   session.invalidate();
> >
> > session = request.getSession(true);
> >
> > /*
> >   restore stuff into the session that you wanted here...
> > */
> >
> > ...
> >
> > Sean Dockery
> > sean@sbdconsultants.com
> > Certified Java Web Component Developer
> > Certified Delphi Programmer
> > SBD Consultants
> > http://www.sbdconsultants.com
> >
> > ----- Original Message -----
> > From: "Tony Dahbura" <tony@loudcloud.com>
> > To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> > Sent: Tuesday, February 11, 2003 03:11
> > Subject: help with client certificates
> >
> > > I am trying to configure my web application within tomcat to require
> > > client certificates for certain areas.  I am not concerned about what
> > > the certificate contains-only that it is a valid certificate (not
> > > expired).
> > >
> > > I have the ssl piece working and when I use the connector option
> > > clientAuth="true" this makes my whole ssl session require
> > > certificates-which is not what I want.
> > >
> > > How can I configure the web.xml file to require certificates for only
> > > certain servlets/urls of the webapp?
> > >
> > > Would like the same functionality of clientAuth="true" (which just
> > > checks the validity of the certifiicate but does not try to verify or

> > > see if the user is in a list somewhere) but at the url/servlet level
> > > within the web.xml for the web app.
> > >
> > >
> > > Another quick question is how can one force the user to have to select
> > > the cert again once inside the web application (simulate a logout).
> > >  Does invalidating the session force this?  Do not want the user to
have
> > > to quit out of the browser.
> > >
> > >
> > > Thanks,
> > > Tony
> > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> --
> Tony Dahbura
> Deployment Director
> Opsware Business Practice
> EDS Inc.
> 13900 Lincoln Park Drive
> Suite 405/WH-OPS
> Herndon, VA  20171
> voice: 703.742.1280
> fax: 703.742.1163
> tony.dahbura@eds.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message