tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Joost.HELD...@abvv.be>
Subject Client Certificate -- All Authenticated Users
Date Tue, 08 Aug 2006 10:00:40 GMT
All:
 
I am writing an Application which is using client-cert as an
authentication process. I successfully configured Tomcat to use SSL and
ask for the certificate and everything works. However I still have one
problem.
 
In order for the the security to work I have to add the DN of the
certificate to the tomcat-users.xml file. So you have something like
this:
 
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="CN=Alice SPECIMEN (Authentication), C=BE"
password="null" roles="tomcat,role1"/>
  <user username="tomcat" password="xxxxx" roles="tomcat"/>
  <user username="role1" password="xxxxx" roles="role1"/>
  <user username="both" password="xxxx" roles="tomcat,role1"/>
  <user username="SERIALNUMBER=xxxxxx, GIVENNAME=yyyyyy, SURNAME=zzzzzz,
CN=wwwwwww, C=dd" password="null" roles="tomcat,role1"/>
</tomcat-users>
 
The web.xml is configured in the following way to allow "all
authenticated" user to do stuff. (To my knwoledge the * means all
authenticated users, in my case users belonging to role1)
 
...
<login-config>
  <auth-method>CLIENT-CERT</auth-method>
 </login-config>
 <security-role>
  <description>Authenticated Users</description>
  <role-name>role1</role-name>
 </security-role>
 <security-constraint>
       <display-name>constrained1</display-name>
       <web-resource-collection>
           <web-resource-name>jspPages</web-resource-name>
            <url-pattern>*.jsp</url-pattern>
            <http-method>PUT</http-method>
           <http-method>GET</http-method>
           <http-method>HEAD</http-method>
           <http-method>TRACE</http-method>
           <http-method>POST</http-method>
           <http-method>DELETE</http-method>
           <http-method>OPTIONS</http-method>
  </web-resource-collection>
  <auth-constraint>
   <role-name>*</role-name>
  </auth-constraint>
 
<user-data-constraint><transport-guarantee>INTEGRAL</transport-guarantee
></user-data-constraint>    
 </security-constraint>
</web-app>
 
If I do it like this, it works perfectly  and the the
request.getUserPrincipal() has a value. However this means that I have
to add the DN of all certificates in use to the tomcat-users file. I my
case this is impossible. For me a user is "authenticated" if his client
certificate is accepted (meaning it was not revoked -this where  ocsp
and clr's come in- ).
So here is the question:
 
Is there a way to configure tomcat in such a way that, when tomcat
accepts the client certificate, the user is automatically authenticated
(and belongs to a default group) and the request.getUserPrincipal() is
filled in with the relevant information from the certificate.
 
Thanks

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message