tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: SSL with Form Fallback on Tomcat 7 or 8
Date Fri, 07 Feb 2014 19:57:33 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Gary,

On 2/7/14, 1:32 AM, Gary Briggs wrote:
> Evening,
> 
> I've been reading this page:
> http://wiki.apache.org/tomcat/SSLWithFORMFallback I'm currently
> using Tomcat 7 on Linux. In short, Neither of the bits of code
> linked on that page work for me but the thing described in the 
> title is what I desire.
> 
> I have client certificate authentication working fully within my
> needs, but I'm looking for a fallback so I can support allow users
> without one of the appropriate smart cards being able to get in.
> BasicAuth would also be fine for this project, although I'd much
> rather it were a form.
> 
> Additionally, I'm unclear on what the purpose of "optional" is on
> the clientAuth parameter of a Connector,if it's not for the purpose
> of some other fallback authentication mechanism to work. Maybe it's
> just implemented because it's integral to the TLS implementation?
> 
> Another option is to configure the trust store appropriately, then 
> self-sign certificates and pass them out. That's still a little
> hostile to the users that don't have smartcards in the first place;
> I have my Realm hitting up an LDAP server with a username-pass
> tuple that non-smartcard-wielding users already have an account
> on.

FWIW, use of an SSL client certificate does improve the security by
adding a second factor to the existing username-password tuple that
you already have. For the smart-card users, they already "have"
something, and if they are the kinds of smart cards I know about, they
also require something you know to activate them.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJS9TqtAAoJEBzwKT+lPKRYI0IQAIPrFbqLV701yZSCUkbYMkVZ
xxYSkITliJ9ZqbbHXoDuMDGDgjXY/p7Bjgwarx/e6DCPSpE6I4kCIWj0WkbPJYQZ
D3uV7/132izPDPFpFMwbsmTsQGB/ruvDIO+YsQUQBcbFhSVzRotcTKEjKTimf0wv
CytsIN2Rjkey+xKdyNaj/LIwi+YKSREWoxdWdRJwOmp95xku5BuxOFiaE6Gi2HDP
CCqxyC3zatnocdW+xY86Bw2hKnGLfusBsWrQUnwjjL1FHKl2PZgAhKLqX4zC1k2E
d1LYerXj1co5p34tx6mWD3DkiPxODmRUGymZvJzGSwrz9JuDy9uj6yVU0MDP2/oL
GoHQZFx5KggMIFyj2oiVFnKDz8YGFgij/Q4eeUsAYpx0rssJNTo2eXQ/mArATXqf
YLAR3trNlULYmmPSMKwuVuKF+KI9uAnnyMvl3jPb6yd2nhZH77m3EjaesX/xRrLU
GK0ZDxkbXYdSanP3dCa0ud1qXXfXpli9uIMGVY6lzdRUdrH+t8JQH1rbSPb7nYp3
AakUK/YPd6gPv//3uTmtxFvWW00f9brdP7hHMvVtnQvqjETH4c5sfooMnRWBzpQm
YNoxKie1ekfJ99KVkX2NXVfJUmpUTrrIZTuUGFGhCTuYOKSl26tDtwXra2z6tgkX
HT5cg7/Mlb5gUJBvkJKe
=NEAD
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message