tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Recognizing certificate removal (SmartCard)
Date Tue, 04 Dec 2012 17:46:16 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Will,

On 12/4/12 12:08 PM, Will Nordmeyer wrote:
> First off, thanks to all for the assistance getting my other
> tomcat CRL issues working.  Converted to APR and tcnative and
> things seem to be loading, running well now.
> 
> Now, the question has come up - what happens when a user
> authenticates with their Smart Card, but then pulls their card and
> walks away.  Is there a way for Tomcat to detect such an event on
> the client and terminate/timeout the session?
> 
> In the googling I've done, I've seen suggestions about writing a 
> little java app that runs within our application and periodically 
> pulls something from the SmartCard - when the app fails to get
> that piece of info, it terminates the app.
> 
> Is that the way to go?  (and if so, is there sample code - I know
> this isn't a java forum, but if someone's invented this wheel
> before, that would be great).

I'm certainly no SSL expert (especially with SmartCards involved), but
if the SmartCard is required in order to set up an SSL session, you
could set the SSL session timeout to some small-ish value (say, 10
minutes -- the default is 24 hours) and then require a new SSL session
to be established every 10 minutes. That would require the SmartCard
to be present for that renegotiation (this is my assumption).

That way, you don't have to write any new software and maintain it on
the client.

Check out the "sessionTimeout" attribute on the HTTP/SSL connector.

Hmm... I just re-checked and that option is currently only available
for the pure-Java connectors -- and you just switched to APR to get
your huge CRLs working. :(

OpenSSL does have an SSL_CTX_set_timeout method, but it doesn't have
any support through tcnative. If this is something that would help
you, please let me know and I'll take a stab at implementing a
tcnative method for this and then expose it through the <Connector>
configuration.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlC+NugACgkQ9CaO5/Lv0PCoawCeLe2nvXK5kbzYx5c+eKt4ruhm
e20AoLWE+CFWc9oDcwlmmWcjv+JuhF76
=u0KH
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message