Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 55401 invoked from network); 9 Jun 2008 09:00:11 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 9 Jun 2008 09:00:11 -0000 Received: (qmail 20101 invoked by uid 500); 9 Jun 2008 09:00:01 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 20013 invoked by uid 500); 9 Jun 2008 09:00:01 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 20000 invoked by uid 99); 9 Jun 2008 09:00:01 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 09 Jun 2008 02:00:01 -0700 X-ASF-Spam-Status: No, hits=-2.8 required=10.0 tests=RCVD_IN_DNSWL_MED,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [141.12.72.89] (HELO mailext.sit.fraunhofer.de) (141.12.72.89) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 09 Jun 2008 08:59:11 +0000 Received: from [141.12.88.113] (sitp2_103.sit.fraunhofer.de [141.12.69.103]) (authenticated bits=0) by mailext.sit.fraunhofer.de (8.13.6/8.13.6/9.9.9) with ESMTP id m598xKAB021732 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 9 Jun 2008 10:59:25 +0200 Message-ID: <484CF0E4.9070501@onlinehome.de> Date: Mon, 09 Jun 2008 10:59:16 +0200 From: Andreas Huelsing User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Authenticate with X509 certification References: <48465C00.503@ival.com> <48478FD7.7020707@ival.com> <4847C72A.4080803@onlinehome.de> <484CCFD1.6050302@ival.com> In-Reply-To: <484CCFD1.6050302@ival.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org Ok, you know, that you have to use ssl/tsl or some challenge-response protocol to ensure that the owner of the certificate also owns the corresponding private key? So the best way might be to use ssl with client auth and an all trusting trustmanager which accepts every certificate but checks for knowledge of the private key. This also forces the client to send a certificate. andreas Luis Pascual Forner schrieb: > No, because I want that the certificate was > required ONLY when I acces to some pages. > In fact, this is how now works, but sometimes > the method getAttribute("javax.servlet.request.X509Certificate") > returns null. > > Finally, I store the certificate in the session, and get it > from there when I need it. > > thanks, > > Luis > > ahuelsing escribi�: >> Hi, >> >> you have to set clientAuth="true" >> >> andreas >> >> Luis Pascual Forner schrieb: >>> Thanks, Bill, >>> I use the JIO connector. >>> That's my server.xml: >>> >>> >>> >>> >>> >> className="org.apache.catalina.core.AprLifecycleListener" /> >>> >> className="org.apache.catalina.mbeans.ServerLifecycleListener" /> >>> >> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" >>> /> >>> >> className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> >>> >>> >>> >>> >>> >> value="30"/> >>> >>> >> type="org.apache.catalina.UserDatabase" >>> description="User database that can be updated and saved" >>> >>> factory="org.apache.catalina.users.MemoryUserDatabaseFactory" >>> pathname="conf/tomcat-users.xml" /> >>> >>> >>> >>> >>> >>> >> maxThreads="150" minSpareThreads="25" >>> maxSpareThreads="75" >>> enableLookups="false" redirectPort="8443" >>> acceptCount="100" >>> connectionTimeout="20000" disableUploadTimeout="true" /> >>> >> disableUploadTimeout="true" keystoreFile="/XXXXXXXXX/xxxxx.p12" >>> keystorePass="XXXXXX" keystoreType="PKCS12" port="8443" >>> scheme="https" secure="true" sslProtocol="TLS" >>> truststoreFile="/XXXXXXXXXXXXXXX/trustcacerts" >>> truststorePass="XXXXXXX" truststoreType="JKS"/> >>> >>> >> enableLookups="false" redirectPort="8443" >>> protocol="AJP/1.3" /> >>> >>> >>> >>> >>> >>> >>> >> unpackWARs="true" autoDeploy="true" >>> xmlValidation="false" xmlNamespaceAware="false"> >>> >>> >>> >> allowLinking="true" /> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> Bill Barker escribi�: >>>> "Luis Pascual Forner" wrote in message >>>> news:48465C00.503@ival.com... >>>>> Hi, >>>>> >>>>> I need autheticate ONLY with client certificate (i.e., I don't want >>>>> to check any user's database) . I did that follow: >>>>> >>>>> 1. I write a "X509Realm", with a method "authenticate" that >>>>> only check the validity of each certificate in the >>>>> certification's chain (don't check if the user exists in >>>>> any database). >>>>> 2. Declare this new class in >>>>> "org/apache/catalina/realm/mbeans-descriptors.xml" and >>>>> "rg/apache/catalina/mbeans/mbeans-descriptors.xml". >>>>> 3. Edit "server.xml" and configure the realm. >>>>> 4. Edit "web.xml" to set the auth-method to "CLIENT-CERT" >>>>> 5. Put "X509Realm.class" and "mbeans-descriptors.xml" in >>>>> "server/classes", with the correct path. >>>>> 6. Restart Tomcat. >>>>> >>>>> Now, I can authenticate with X509 certificate, and get the >>>>> client certificate with >>>>> getAttribute("javax.servlet.request.X509Certificate"). But, >>>>> sometimes, this method returns null. Why? >>>>> >>>> >>>> Almost certainly means that the client didn't send a cert. But >>>> more info on your setup would get a better response. For example >>>> are you using the APR or the JIO Connector? >>>> >>>>> regards >>>>> >>>>> --------------------------------------------------------------------- >>>>> To start a new topic, e-mail: users@tomcat.apache.org >>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>>>> For additional commands, e-mail: users-help@tomcat.apache.org >>>>> >>>>> >>>> >>>> >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To start a new topic, e-mail: users@tomcat.apache.org >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>>> For additional commands, e-mail: users-help@tomcat.apache.org >>>> >>>> >>> >>> --------------------------------------------------------------------- >>> To start a new topic, e-mail: users@tomcat.apache.org >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>> For additional commands, e-mail: users-help@tomcat.apache.org >>> >> >> >> --------------------------------------------------------------------- >> To start a new topic, e-mail: users@tomcat.apache.org >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >> For additional commands, e-mail: users-help@tomcat.apache.org >> >> > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org