tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Арсений Зинченко <setev...@gmail.com>
Subject Re: Using different SSL-connector settings for various Context
Date Tue, 04 Feb 2014 13:47:23 GMT
> Please don't top post here. Respond below the text to which you are
responding.
It's easier to read that way. See below.

Sorry - it's Google formatting if press "Answer".

> That should be solvable just by the <auth-requirements> of each Context.

I tried google it - but nothing... Can you please give liink to something
about it?

Plus some additional info.

Now - we use configuration via web.xml:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>*</web-resource-name>
      <url-pattern>/sourcename/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>cert</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
  <login-config>
    <auth-method>CLIENT-CERT</auth-method>
  </login-config>
  <security-role>
    <role-name>cert</role-name>
  </security-role>

And for ROOT - configuration described in server.xml:

       <Context docBase="ROOT" path="">
         <Valve className="org.apache.catalina.valves.SomeAuthValve"
                             FLDAPAppName="SOME"
                             FLDAPDebug="1"
                             FLDAPLogin="https://some" />
      </Context>

So task is - create second context for <
url-pattern>/sourcename/*</url-pattern> with
<auth-method>CLIENT-CERT</auth-method> but in Context "terminology".


2014-02-04 André Warnier <aw@ice-sa.com>:

> Hi.
>
> Please don't top post here. Respond below the text to which you are
> responding.
> It's easier to read that way. See below.
>
>
>
>> 2014-02-04 André Warnier <aw@ice-sa.com>:
>>
>>  Арсений Зинченко wrote:
>>>
>>>  Hi.
>>>>
>>>> Task is - have ability to use HTTP/HTTPS without clientAuth for ROOT,
>>>> but
>>>> enable two-factor auth (clientAuth="true" and using trustedstore.jks)
>>>> for
>>>> other Context.
>>>>
>>>> Can somebody please any tips?
>>>>
>>>>
>>>>  I don't know much about SSL, but isn't the answer right here ?
>>>
>>> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
>>>
>>> clientAuth
>>>
>>> Set to true if you want the SSL stack to require a valid certificate
>>> chain
>>> from the client before accepting a connection. Set to want if you want
>>> the
>>> SSL stack to request a client Certificate, but not fail if one isn't
>>> presented. A false value (which is the default) will not require a
>>> certificate chain unless the client requests a resource protected by a
>>> security constraint that uses CLIENT-CERT authentication.
>>>
>>> If I understand the above correctly, then setting clientAuth="false" in
>>> the Connector, and then requesting a CLIENT-CERT authentication only in
>>> your "other Context", should do the trick, no ?
>>>
>>>
>>>
> Арсений Зинченко wrote:
> > Yes, this is exactly what I'm want and I see this manual to.
> > But - how to specify different clientAuth= for different Context's ? I
> > found "SSL Authenticator
> > Valve<http://tomcat.apache.org/tomcat-7.0-doc/config/
> valve.html#SSL_Authenticator_Valve>"
>
> > - but there is nohting about how to do it... And I don't see any
> > possibility to make with any other Context
> > options<http://tomcat.apache.org/tomcat-7.0-doc/config/
> context.html#Context_Parameters>...
> >
> >
> Sorry, as I mentioned earlier, I do not know much about SSL and cannot
> help you with the details.
>
> One thing though : the setup of an SSL connection happens *before* Tomcat
> even knows to which application the browser wants to talk.  Some properties
> of that connection may not be changeable anymore, at the level of a Context.
> You can just tell the Context to make use or not of some of these
> properties, not really change them.
>
> In your case though, it seems that you want the following :
> - clients connect via SSL
> - some Context's then (later) require clientAuth
> - and some other Context's (later) do not require clientAuth
> That should be solvable just by the <auth-requirements> of each Context.
>
> If you want some Context's to be accessible via HTTP/HTTPS, and others
> only via HTTPS, that also is a parameter that you can specify in each
> context's web.xml.
> (<transport-guarantee> or something like that)
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message