tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Dockery" <s...@sbdconsultants.com>
Subject Re: help with client certificates
Date Mon, 17 Feb 2003 03:54:54 GMT
No.  I was talking about uploading a file through the HTML file upload.

"Tony Dahbura" <tony.dahbura@eds.com> wrote in message
news:3E4A8DF5.3545248E@eds.com...
> Thanks Sean.  I am not sure how to have them upload their cert through a
form
> upload.  Is there a standard API (works in most browsers to cause this?)
>
> I remember netscape had a javascript call to do form signing.....
>
> Tony
>
>
> Sean Dockery wrote:
>
> > With regard to providing a certificate to the web site, but not
> > authenticating per se:
> >
> > With regard to writing your own custom realm, it seems reasonable--but I
> > would not have thought something like this would be so difficult.
> >
> > Instead of having CLIENT-CERT authentication, you might consider simply
> > having users submit their certificates through a form upload.  It might
> > avoid some of the problems that you're facing.
> >
> > With regard to logging out a user:
> >
> > The method that I presented works for FORM authentication only, as
BASIC,
> > DIGEST, and CLIENT-CERT deal with (usually) readily available
credentials.
> > That, Internet Explorer and Netscape will remember usernames and
passwords
> > and continue to use the same authentication information until it
> > fails--before prompting you for a new username and password.  I would
> > speculate that they behave in the same manner with respect to a
certificate
> > credential.  I'm not sure how to get browsers to reset their sessions on
the
> > client-side.
> >
> > ----- Original Message -----
> > From: "Tony Dahbura" <tony.dahbura@eds.com>
> > To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> > Sent: Tuesday, February 11, 2003 16:37
> > Subject: Re: help with client certificates
> >
> > > That is correct!  It is prompting me for my certificate it is just
telling
> > the
> > > following on a tomcat error page:
> > >
> > > type Status report
> > >
> > > message Access to the requested resource has been denied
> > >
> > > description Access to the specified resource (Access to the requested
> > resource
> > > has been denied) has been forbidden.
> > >
> > >
> > > I am thinking I may need to write a custom realm module that takes a
> > certificate
> > > and just assigns a dummy role to any user.  Little bit convoluted to
get
> > this
> > > done.....?
> > >
> > >
> > > The second thing I am trying to do is logout the user (once they come
in
> > with
> > > their cert).  Doing a session.invalidate() does not cause the browser
to
> > > reprompt the user for their certificate information upon rehitting the
> > site-was
> > > wondering how to do that as well.
> > >
> > > Tony
> > >
> > >
> > > Sean Dockery wrote:
> > >
> > > > Let me see if I understand what problem you are experiencing...
> > > >
> > > > By not having role-names, CLIENT-CERT authentication is not being
> > enforced?
> > > > Is that what you mean?
> > > >
> > > > Sean Dockery
> > > > sean@sbdconsultants.com
> > > > Certified Java Web Component Developer
> > > > Certified Delphi Programmer
> > > > SBD Consultants
> > > > http://www.sbdconsultants.com
> > > >
> > > > ----- Original Message -----
> > > > From: "Tony Dahbura" <tony@loudcloud.com>
> > > > To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> > > > Sent: Tuesday, February 11, 2003 10:57
> > > > Subject: Re: help with client certificates
> > > >
> > > > > Sean:
> > > > > This matches my xml file to a tea except I also have:
> > > > > <login-config>
> > > > >   <auth-method>CLIENT-CERT</auth-method>
> > > > >  </login-config>
> > > > >
> > > > > The problem I am trying to solve is the fact that I do not have
any
> > > > > role-names.  I need to have the application request a certificate
from
> > the
> > > > user
> > > > > when they hit a servlet and just accept it.  I basically want to
> > blindly
> > > > let a
> > > > > user in but require them to present a certificate.  The purpose of
the
> > > > > application I am writing needs to access data within the
certificate
> > and I
> > > > do
> > > > > not know who the users are until they present the certificate and
I
> > can
> > > > grab
> > > > > some data from it.
> > > > >
> > > > > I need to simulate the actions of the clientAuth="true" on a
connector
> > > > factory
> > > > > (it blindly lets you in but forces a certificate to present).
Reason
> > this
> > > > > cannot be used is some of the application needs the cert and some
does
> > > > > not.......
> > > > >
> > > > > Hope this explains it!
> > > > >
> > > > > Tony
> > > > >
> > > > >
> > > > > Sean Dockery wrote:
> > > > >
> > > > > > In your web.xml...
> > > > > >
> > > > > > <security-constraint>
> > > > > > <web-resource-collection>
> > > > > >   <web-resource-name>MySecurityRestriction</web-resource-name>
> > > > > >   <description>Protect the resource.</description>
> > > > > >   <url-pattern>/ServletUrlPattern</url-pattern>
> > > > > >   <http-method>GET</http-method>
> > > > > >   <http-method>POST</http-method>
> > > > > > </web-resource-collection>
> > > > > > <auth-constraint>
> > > > > >   <description>Authorized Users Group</description>
> > > > > > <!-- no role names means no authentication required for this
> > > > resource -->
> > > > > > <!--
> > > > > >   <role-name>manager</role-name>
> > > > > >   <role-name>users</role-name>
> > > > > > -->
> > > > > > </auth-constraint>
> > > > > > <user-data-constraint>
> > > > > > <!-- transport-guarantee must be one of NONE, INTEGRAL, or
> > > > CONFIDENTIAL -->
> > > > > >   <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > > > > > </user-data-constraint>
> > > > > > </security-constraint>
> > > > > >
> > > > > > Google for "transport-guarantee web.xml" on the web.
> > > > > >
> > > > > > Simulating a logout in some servlet code...
> > > > > >
> > > > > > ...
> > > > > >
> > > > > > HttpSession session = request.getSession(false);
> > > > > >
> > > > > > /*
> > > > > >   if there is any information in the session that you want to
keep
> > (such
> > > > as
> > > > > >   a locale override), grab a reference to it here...
> > > > > > */
> > > > > >
> > > > > > if(session != null)
> > > > > >   session.invalidate();
> > > > > >
> > > > > > session = request.getSession(true);
> > > > > >
> > > > > > /*
> > > > > >   restore stuff into the session that you wanted here...
> > > > > > */
> > > > > >
> > > > > > ...
> > > > > >
> > > > > > Sean Dockery
> > > > > > sean@sbdconsultants.com
> > > > > > Certified Java Web Component Developer
> > > > > > Certified Delphi Programmer
> > > > > > SBD Consultants
> > > > > > http://www.sbdconsultants.com
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Tony Dahbura" <tony@loudcloud.com>
> > > > > > To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> > > > > > Sent: Tuesday, February 11, 2003 03:11
> > > > > > Subject: help with client certificates
> > > > > >
> > > > > > > I am trying to configure my web application within tomcat
to
> > require
> > > > > > > client certificates for certain areas.  I am not concerned
about
> > what
> > > > > > > the certificate contains-only that it is a valid certificate
(not
> > > > > > > expired).
> > > > > > >
> > > > > > > I have the ssl piece working and when I use the connector
option
> > > > > > > clientAuth="true" this makes my whole ssl session require
> > > > > > > certificates-which is not what I want.
> > > > > > >
> > > > > > > How can I configure the web.xml file to require certificates
for
> > only
> > > > > > > certain servlets/urls of the webapp?
> > > > > > >
> > > > > > > Would like the same functionality of clientAuth="true"
(which
just
> > > > > > > checks the validity of the certifiicate but does not try
to
verify
> > or
> > > >
> > > > > > > see if the user is in a list somewhere) but at the url/servlet
> > level
> > > > > > > within the web.xml for the web app.
> > > > > > >
> > > > > > >
> > > > > > > Another quick question is how can one force the user to
have
to
> > select
> > > > > > > the cert again once inside the web application (simulate
a
> > logout).
> > > > > > >  Does invalidating the session force this?  Do not want
the
user
> > to
> > > > have
> > > > > > > to quit out of the browser.
> > > > > > >
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Tony
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > ---------------------------------------------------------------------
> > > > > > > To unsubscribe, e-mail:
tomcat-user-unsubscribe@jakarta.apache.org
> > > > > > > For additional commands, e-mail:
> > tomcat-user-help@jakarta.apache.org
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > ---------------------------------------------------------------------
> > > > > > To unsubscribe, e-mail:
tomcat-user-unsubscribe@jakarta.apache.org
> > > > > > For additional commands, e-mail:
tomcat-user-help@jakarta.apache.org
> > > > >
> > > > > --
> > > > > Tony Dahbura
> > > > > Deployment Director
> > > > > Opsware Business Practice
> > > > > EDS Inc.
> > > > > 13900 Lincoln Park Drive
> > > > > Suite 405/WH-OPS
> > > > > Herndon, VA  20171
> > > > > voice: 703.742.1280
> > > > > fax: 703.742.1163
> > > > > tony.dahbura@eds.com
> > > > >
> > > >
> ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > > > For additional commands, e-mail:
tomcat-user-help@jakarta.apache.org
> > > >
> > >
> ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > >
> > > --
> > > Tony Dahbura
> > > Deployment Director
> > > Opsware Business Practice
> > > EDS Inc.
> > > 13900 Lincoln Park Drive
> > > Suite 405/WH-OPS
> > > Herndon, VA  20171
> > > voice: 703.742.1280
> > > fax: 703.742.1163
> > > tony.dahbura@eds.com
> > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> --
> Tony Dahbura
> Deployment Director
> Opsware Business Practice
> EDS Inc.
> 13900 Lincoln Park Drive
> Suite 405/WH-OPS
> Herndon, VA  20171
> voice: 703.742.1280
> fax: 703.742.1163
> tony.dahbura@eds.com




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message