tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject Client Certificate -- All Authenticated Users
Date Tue, 08 Aug 2006 10:00:40 GMT
I am writing an Application which is using client-cert as an
authentication process. I successfully configured Tomcat to use SSL and
ask for the certificate and everything works. However I still have one
In order for the the security to work I have to add the DN of the
certificate to the tomcat-users.xml file. So you have something like
<?xml version='1.0' encoding='utf-8'?>
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="CN=Alice SPECIMEN (Authentication), C=BE"
password="null" roles="tomcat,role1"/>
  <user username="tomcat" password="xxxxx" roles="tomcat"/>
  <user username="role1" password="xxxxx" roles="role1"/>
  <user username="both" password="xxxx" roles="tomcat,role1"/>
  <user username="SERIALNUMBER=xxxxxx, GIVENNAME=yyyyyy, SURNAME=zzzzzz,
CN=wwwwwww, C=dd" password="null" roles="tomcat,role1"/>
The web.xml is configured in the following way to allow "all
authenticated" user to do stuff. (To my knwoledge the * means all
authenticated users, in my case users belonging to role1)
  <description>Authenticated Users</description>
If I do it like this, it works perfectly  and the the
request.getUserPrincipal() has a value. However this means that I have
to add the DN of all certificates in use to the tomcat-users file. I my
case this is impossible. For me a user is "authenticated" if his client
certificate is accepted (meaning it was not revoked -this where  ocsp
and clr's come in- ).
So here is the question:
Is there a way to configure tomcat in such a way that, when tomcat
accepts the client certificate, the user is automatically authenticated
(and belongs to a default group) and the request.getUserPrincipal() is
filled in with the relevant information from the certificate.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message