tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luis Pascual Forner <lpasc...@ival.com>
Subject Re: Authenticate with X509 certification
Date Mon, 09 Jun 2008 09:36:02 GMT
Hi, Andreas

I think that I did'nt explained correctly. What I would is to have
some pages that requires authentication, and others not (as in Apache
server, where is possible to set SSLVerifyClient at directory level).
Because the "clientAuth" attribute is at the "Connector" level, I do'nt
want to set it to "true". I set the auth-method to "CLIENT-CERT" to
force some pages to require authentication.

With the standards realms, the authenticate user needs to exists in
the users database (conf/tomcat-users.xml, by example). I want only
that the users have a valid certificate. So, I used a custom realm,
that only checks the validity of the certificate's chain.

This works, and the certificate is required only in those pages but,
sometimes, the getAttribute("javax.servlet.request.X509Certificate")
returns null. The first time a user access a page from the context,
the certificate is asked.

As a work-around, I store the certificate in the session the first
time the page is accessed, and reuse after.

Thanks, and sorry for my poor english. I do my best.

Regards,

   Luis

Andreas Huelsing escribió:
> Ok,
> 
> you know, that you have to use ssl/tsl or some challenge-response 
> protocol to ensure that the owner of the certificate also owns the 
> corresponding private key? So the best way might be to use ssl with 
> client auth and an all trusting trustmanager which accepts every 
> certificate but checks for knowledge of the private key. This also 
> forces the client to send a certificate.
> 
> andreas
> 
> Luis Pascual Forner schrieb:
>> No, because I want that the certificate was
>> required ONLY when I acces to some pages.
>> In fact, this is how now works, but sometimes
>> the method getAttribute("javax.servlet.request.X509Certificate")
>> returns null.
>>
>> Finally, I store the certificate in the session, and get it
>> from there when I need it.
>>
>> thanks,
>>
>>   Luis
>>
>> ahuelsing escribió:
>>> Hi,
>>>
>>> you have to set clientAuth="true"
>>>
>>> andreas
>>>
>>> Luis Pascual Forner schrieb:
>>>> Thanks, Bill,
>>>> I use the JIO connector.
>>>> That's my server.xml:
>>>>
>>>> <?xml version="1.0" encoding="UTF-8"?>
>>>> <Server port="8006" shutdown="SHUTDOWN">
>>>>
>>>>   <Listener 
>>>> className="org.apache.catalina.core.AprLifecycleListener" />
>>>>   <Listener 
>>>> className="org.apache.catalina.mbeans.ServerLifecycleListener" />
>>>>   <Listener 
>>>> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" 
>>>> />
>>>>   <Listener 
>>>> className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/>

>>>>
>>>>
>>>>   <GlobalNamingResources>
>>>>
>>>>     <Environment name="simpleValue" type="java.lang.Integer" 
>>>> value="30"/>
>>>>
>>>>     <Resource name="UserDatabase" auth="Container"
>>>>               type="org.apache.catalina.UserDatabase"
>>>>        description="User database that can be updated and saved"
>>>>            
>>>> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>>>>           pathname="conf/tomcat-users.xml" />
>>>>
>>>>   </GlobalNamingResources>
>>>>
>>>>   <Service name="Catalina">
>>>>
>>>>     <Connector port="8081" maxHttpHeaderSize="8192"
>>>>                maxThreads="150" minSpareThreads="25" 
>>>> maxSpareThreads="75"
>>>>                enableLookups="false" redirectPort="8443" 
>>>> acceptCount="100"
>>>>                connectionTimeout="20000" disableUploadTimeout="true" />
>>>>     <Connector acceptCount="100" clientAuth="false" 
>>>> disableUploadTimeout="true" keystoreFile="/XXXXXXXXX/xxxxx.p12" 
>>>> keystorePass="XXXXXX" keystoreType="PKCS12" port="8443" 
>>>> scheme="https" secure="true" sslProtocol="TLS" 
>>>> truststoreFile="/XXXXXXXXXXXXXXX/trustcacerts" 
>>>> truststorePass="XXXXXXX" truststoreType="JKS"/>
>>>>
>>>>     <Connector port="8010"
>>>>                enableLookups="false" redirectPort="8443" 
>>>> protocol="AJP/1.3" />
>>>>
>>>>     <Engine name="Catalina" defaultHost="localhost">
>>>>
>>>>
>>>>       <Realm className="com.ival.tomcat.X509Realm" debug="0" />
>>>>
>>>>       <Host name="localhost" appBase="webapps"
>>>>        unpackWARs="true" autoDeploy="true"
>>>>        xmlValidation="false" xmlNamespaceAware="false">
>>>>
>>>>       <Context docBase="cavi" path="/cavi" reloadable="true" />
>>>>       <Context docBase="x509" path="/x509" reloadable="true" 
>>>> allowLinking="true" />
>>>>
>>>>       </Host>
>>>>
>>>>     </Engine>
>>>>
>>>>   </Service>
>>>>
>>>> </Server>
>>>>
>>>>
>>>>
>>>> Bill Barker escribió:
>>>>> "Luis Pascual Forner" <lpascual@ival.com> wrote in message 
>>>>> news:48465C00.503@ival.com...
>>>>>> Hi,
>>>>>>
>>>>>>   I need autheticate ONLY with client certificate (i.e., I don't
want
>>>>>> to check any user's database) . I did that follow:
>>>>>>
>>>>>>   1. I write a "X509Realm", with a method "authenticate" that
>>>>>>      only check the validity of each certificate in the
>>>>>>      certification's chain (don't check if the user exists in
>>>>>>      any database).
>>>>>>   2. Declare this new class in
>>>>>>      "org/apache/catalina/realm/mbeans-descriptors.xml" and
>>>>>>      "rg/apache/catalina/mbeans/mbeans-descriptors.xml".
>>>>>>   3. Edit "server.xml" and configure the realm.
>>>>>>   4. Edit "web.xml" to set the auth-method to "CLIENT-CERT"
>>>>>>   5. Put "X509Realm.class" and "mbeans-descriptors.xml" in
>>>>>>      "server/classes", with the correct path.
>>>>>>   6. Restart Tomcat.
>>>>>>
>>>>>>   Now, I can authenticate with X509 certificate, and get the
>>>>>> client certificate with
>>>>>> getAttribute("javax.servlet.request.X509Certificate"). But,
>>>>>> sometimes, this method returns null. Why?
>>>>>>
>>>>>
>>>>> Almost certainly means that the client didn't send a cert.  But 
>>>>> more info on your setup would get a better response.  For example 
>>>>> are you using the APR or the JIO Connector?
>>>>>
>>>>>> regards
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
> 
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message