tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Dahbura <t...@loudcloud.com>
Subject Re: help with client certificates
Date Tue, 11 Feb 2003 17:57:26 GMT
Sean:
This matches my xml file to a tea except I also have:
<login-config>
  <auth-method>CLIENT-CERT</auth-method>
 </login-config>

The problem I am trying to solve is the fact that I do not have any
role-names.  I need to have the application request a certificate from the user
when they hit a servlet and just accept it.  I basically want to blindly let a
user in but require them to present a certificate.  The purpose of the
application I am writing needs to access data within the certificate and I do
not know who the users are until they present the certificate and I can grab
some data from it.

I need to simulate the actions of the clientAuth="true" on a connector factory
(it blindly lets you in but forces a certificate to present).  Reason this
cannot be used is some of the application needs the cert and some does
not.......

Hope this explains it!

Tony


Sean Dockery wrote:

> In your web.xml...
>
> <security-constraint>
> <web-resource-collection>
>   <web-resource-name>MySecurityRestriction</web-resource-name>
>   <description>Protect the resource.</description>
>   <url-pattern>/ServletUrlPattern</url-pattern>
>   <http-method>GET</http-method>
>   <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
>   <description>Authorized Users Group</description>
> <!-- no role names means no authentication required for this resource -->
> <!--
>   <role-name>manager</role-name>
>   <role-name>users</role-name>
> -->
> </auth-constraint>
> <user-data-constraint>
> <!-- transport-guarantee must be one of NONE, INTEGRAL, or CONFIDENTIAL -->
>   <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> Google for "transport-guarantee web.xml" on the web.
>
> Simulating a logout in some servlet code...
>
> ...
>
> HttpSession session = request.getSession(false);
>
> /*
>   if there is any information in the session that you want to keep (such as
>   a locale override), grab a reference to it here...
> */
>
> if(session != null)
>   session.invalidate();
>
> session = request.getSession(true);
>
> /*
>   restore stuff into the session that you wanted here...
> */
>
> ...
>
> Sean Dockery
> sean@sbdconsultants.com
> Certified Java Web Component Developer
> Certified Delphi Programmer
> SBD Consultants
> http://www.sbdconsultants.com
>
> ----- Original Message -----
> From: "Tony Dahbura" <tony@loudcloud.com>
> To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> Sent: Tuesday, February 11, 2003 03:11
> Subject: help with client certificates
>
> > I am trying to configure my web application within tomcat to require
> > client certificates for certain areas.  I am not concerned about what
> > the certificate contains-only that it is a valid certificate (not
> > expired).
> >
> > I have the ssl piece working and when I use the connector option
> > clientAuth="true" this makes my whole ssl session require
> > certificates-which is not what I want.
> >
> > How can I configure the web.xml file to require certificates for only
> > certain servlets/urls of the webapp?
> >
> > Would like the same functionality of clientAuth="true" (which just
> > checks the validity of the certifiicate but does not try to verify or
> > see if the user is in a list somewhere) but at the url/servlet level
> > within the web.xml for the web app.
> >
> >
> > Another quick question is how can one force the user to have to select
> > the cert again once inside the web application (simulate a logout).
> >  Does invalidating the session force this?  Do not want the user to have
> > to quit out of the browser.
> >
> >
> > Thanks,
> > Tony
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

--
Tony Dahbura
Deployment Director
Opsware Business Practice
EDS Inc.
13900 Lincoln Park Drive
Suite 405/WH-OPS
Herndon, VA  20171
voice: 703.742.1280
fax: 703.742.1163
tony.dahbura@eds.com



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message