tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Huelsing <ahuels...@onlinehome.de>
Subject Re: Authenticate with X509 certification
Date Mon, 09 Jun 2008 09:55:17 GMT
Hi Luis,

sorry, at this point I can't help you. Never done sth. similar.

andreas

Luis Pascual Forner schrieb:
> Hi, Andreas
>
> I think that I did'nt explained correctly. What I would is to have
> some pages that requires authentication, and others not (as in Apache
> server, where is possible to set SSLVerifyClient at directory level).
> Because the "clientAuth" attribute is at the "Connector" level, I do'nt
> want to set it to "true". I set the auth-method to "CLIENT-CERT" to
> force some pages to require authentication.
>
> With the standards realms, the authenticate user needs to exists in
> the users database (conf/tomcat-users.xml, by example). I want only
> that the users have a valid certificate. So, I used a custom realm,
> that only checks the validity of the certificate's chain.
>
> This works, and the certificate is required only in those pages but,
> sometimes, the getAttribute("javax.servlet.request.X509Certificate")
> returns null. The first time a user access a page from the context,
> the certificate is asked.
>
> As a work-around, I store the certificate in the session the first
> time the page is accessed, and reuse after.
>
> Thanks, and sorry for my poor english. I do my best.
>
> Regards,
>
>   Luis
>
> Andreas Huelsing escribió:
>> Ok,
>>
>> you know, that you have to use ssl/tsl or some challenge-response 
>> protocol to ensure that the owner of the certificate also owns the 
>> corresponding private key? So the best way might be to use ssl with 
>> client auth and an all trusting trustmanager which accepts every 
>> certificate but checks for knowledge of the private key. This also 
>> forces the client to send a certificate.
>>
>> andreas
>>
>> Luis Pascual Forner schrieb:
>>> No, because I want that the certificate was
>>> required ONLY when I acces to some pages.
>>> In fact, this is how now works, but sometimes
>>> the method getAttribute("javax.servlet.request.X509Certificate")
>>> returns null.
>>>
>>> Finally, I store the certificate in the session, and get it
>>> from there when I need it.
>>>
>>> thanks,
>>>
>>>   Luis
>>>
>>> ahuelsing escribió:
>>>> Hi,
>>>>
>>>> you have to set clientAuth="true"
>>>>
>>>> andreas
>>>>
>>>> Luis Pascual Forner schrieb:
>>>>> Thanks, Bill,
>>>>> I use the JIO connector.
>>>>> That's my server.xml:
>>>>>
>>>>> <?xml version="1.0" encoding="UTF-8"?>
>>>>> <Server port="8006" shutdown="SHUTDOWN">
>>>>>
>>>>>   <Listener 
>>>>> className="org.apache.catalina.core.AprLifecycleListener" />
>>>>>   <Listener 
>>>>> className="org.apache.catalina.mbeans.ServerLifecycleListener" />
>>>>>   <Listener 
>>>>> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"

>>>>> />
>>>>>   <Listener 
>>>>> className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/>

>>>>>
>>>>>
>>>>>   <GlobalNamingResources>
>>>>>
>>>>>     <Environment name="simpleValue" type="java.lang.Integer" 
>>>>> value="30"/>
>>>>>
>>>>>     <Resource name="UserDatabase" auth="Container"
>>>>>               type="org.apache.catalina.UserDatabase"
>>>>>        description="User database that can be updated and saved"
>>>>>            
>>>>> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>>>>>           pathname="conf/tomcat-users.xml" />
>>>>>
>>>>>   </GlobalNamingResources>
>>>>>
>>>>>   <Service name="Catalina">
>>>>>
>>>>>     <Connector port="8081" maxHttpHeaderSize="8192"
>>>>>                maxThreads="150" minSpareThreads="25" 
>>>>> maxSpareThreads="75"
>>>>>                enableLookups="false" redirectPort="8443" 
>>>>> acceptCount="100"
>>>>>                connectionTimeout="20000" 
>>>>> disableUploadTimeout="true" />
>>>>>     <Connector acceptCount="100" clientAuth="false" 
>>>>> disableUploadTimeout="true" keystoreFile="/XXXXXXXXX/xxxxx.p12" 
>>>>> keystorePass="XXXXXX" keystoreType="PKCS12" port="8443" 
>>>>> scheme="https" secure="true" sslProtocol="TLS" 
>>>>> truststoreFile="/XXXXXXXXXXXXXXX/trustcacerts" 
>>>>> truststorePass="XXXXXXX" truststoreType="JKS"/>
>>>>>
>>>>>     <Connector port="8010"
>>>>>                enableLookups="false" redirectPort="8443" 
>>>>> protocol="AJP/1.3" />
>>>>>
>>>>>     <Engine name="Catalina" defaultHost="localhost">
>>>>>
>>>>>
>>>>>       <Realm className="com.ival.tomcat.X509Realm" debug="0" />
>>>>>
>>>>>       <Host name="localhost" appBase="webapps"
>>>>>        unpackWARs="true" autoDeploy="true"
>>>>>        xmlValidation="false" xmlNamespaceAware="false">
>>>>>
>>>>>       <Context docBase="cavi" path="/cavi" reloadable="true" />
>>>>>       <Context docBase="x509" path="/x509" reloadable="true" 
>>>>> allowLinking="true" />
>>>>>
>>>>>       </Host>
>>>>>
>>>>>     </Engine>
>>>>>
>>>>>   </Service>
>>>>>
>>>>> </Server>
>>>>>
>>>>>
>>>>>
>>>>> Bill Barker escribió:
>>>>>> "Luis Pascual Forner" <lpascual@ival.com> wrote in message

>>>>>> news:48465C00.503@ival.com...
>>>>>>> Hi,
>>>>>>>
>>>>>>>   I need autheticate ONLY with client certificate (i.e., I don't

>>>>>>> want
>>>>>>> to check any user's database) . I did that follow:
>>>>>>>
>>>>>>>   1. I write a "X509Realm", with a method "authenticate" that
>>>>>>>      only check the validity of each certificate in the
>>>>>>>      certification's chain (don't check if the user exists in
>>>>>>>      any database).
>>>>>>>   2. Declare this new class in
>>>>>>>      "org/apache/catalina/realm/mbeans-descriptors.xml" and
>>>>>>>      "rg/apache/catalina/mbeans/mbeans-descriptors.xml".
>>>>>>>   3. Edit "server.xml" and configure the realm.
>>>>>>>   4. Edit "web.xml" to set the auth-method to "CLIENT-CERT"
>>>>>>>   5. Put "X509Realm.class" and "mbeans-descriptors.xml" in
>>>>>>>      "server/classes", with the correct path.
>>>>>>>   6. Restart Tomcat.
>>>>>>>
>>>>>>>   Now, I can authenticate with X509 certificate, and get the
>>>>>>> client certificate with
>>>>>>> getAttribute("javax.servlet.request.X509Certificate"). But,
>>>>>>> sometimes, this method returns null. Why?
>>>>>>>
>>>>>>
>>>>>> Almost certainly means that the client didn't send a cert.  But 
>>>>>> more info on your setup would get a better response.  For example

>>>>>> are you using the APR or the JIO Connector?
>>>>>>
>>>>>>> regards
>>>>>>>
>>>>>>> ---------------------------------------------------------------------

>>>>>>>
>>>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------

>>>>>>
>>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message