Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CDD88106E8 for ; Fri, 7 Feb 2014 19:57:57 +0000 (UTC) Received: (qmail 58805 invoked by uid 500); 7 Feb 2014 19:57:52 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 58740 invoked by uid 500); 7 Feb 2014 19:57:51 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 58731 invoked by uid 99); 7 Feb 2014 19:57:51 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 07 Feb 2014 19:57:51 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy includes SPF record at spf.trusted-forwarder.org) Received: from [76.96.62.96] (HELO qmta09.westchester.pa.mail.comcast.net) (76.96.62.96) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 07 Feb 2014 19:57:46 +0000 Received: from omta23.westchester.pa.mail.comcast.net ([76.96.62.74]) by qmta09.westchester.pa.mail.comcast.net with comcast id PWcA1n0081c6gX859XxRmy; Fri, 07 Feb 2014 19:57:25 +0000 Received: from Christophers-MacBook-Pro.local ([68.55.8.89]) by omta23.westchester.pa.mail.comcast.net with comcast id PXxP1n00L1vFKdg3jXxQMc; Fri, 07 Feb 2014 19:57:25 +0000 Message-ID: <52F53AAD.9000005@christopherschultz.net> Date: Fri, 07 Feb 2014 14:57:33 -0500 From: Christopher Schultz User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: Tomcat Users List Subject: Re: SSL with Form Fallback on Tomcat 7 or 8 References: <20140207063247.GC5634@gamehenge> In-Reply-To: <20140207063247.GC5634@gamehenge> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1391803045; bh=mq5y2EkSCD1XPpeM7MlPsBCX4WgeTi6/csgusIQ+vJc=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=CmRwl8cbUsGxU0K8iEXOMgj7Fxx05Vj67ZtEDFRgz19+fisFRsfMR6c0hky2aNLZ+ QGk4UcgY+pctwDw8gSCcZyVP4pZLlQCmWCt1HCydUZ0o4IiszD1nN6tc7WKEGrlA6Z m71C+TwERt8lZuaI1yX2/gDJ+H9TzRcBDXrcI4ORBHMTgm2JP9p7sGk/dp02uMg1qb L42E8nY/EiZ6hdGKWzSBgWOLPbAcTEeYJ9rhKq8ji0eGHeoUA/Bu/vTgTujqN4m4q2 gHZITnBJkg8PwN4k+ffe44w6q9aA23CmcVd3poCxb8RsnqXeusCaWoBRwetqJY0QZ5 b6NG3CthvMCjA== X-Virus-Checked: Checked by ClamAV on apache.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Gary, On 2/7/14, 1:32 AM, Gary Briggs wrote: > Evening, > > I've been reading this page: > http://wiki.apache.org/tomcat/SSLWithFORMFallback I'm currently > using Tomcat 7 on Linux. In short, Neither of the bits of code > linked on that page work for me but the thing described in the > title is what I desire. > > I have client certificate authentication working fully within my > needs, but I'm looking for a fallback so I can support allow users > without one of the appropriate smart cards being able to get in. > BasicAuth would also be fine for this project, although I'd much > rather it were a form. > > Additionally, I'm unclear on what the purpose of "optional" is on > the clientAuth parameter of a Connector,if it's not for the purpose > of some other fallback authentication mechanism to work. Maybe it's > just implemented because it's integral to the TLS implementation? > > Another option is to configure the trust store appropriately, then > self-sign certificates and pass them out. That's still a little > hostile to the users that don't have smartcards in the first place; > I have my Realm hitting up an LDAP server with a username-pass > tuple that non-smartcard-wielding users already have an account > on. FWIW, use of an SSL client certificate does improve the security by adding a second factor to the existing username-password tuple that you already have. For the smart-card users, they already "have" something, and if they are the kinds of smart cards I know about, they also require something you know to activate them. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS9TqtAAoJEBzwKT+lPKRYI0IQAIPrFbqLV701yZSCUkbYMkVZ xxYSkITliJ9ZqbbHXoDuMDGDgjXY/p7Bjgwarx/e6DCPSpE6I4kCIWj0WkbPJYQZ D3uV7/132izPDPFpFMwbsmTsQGB/ruvDIO+YsQUQBcbFhSVzRotcTKEjKTimf0wv CytsIN2Rjkey+xKdyNaj/LIwi+YKSREWoxdWdRJwOmp95xku5BuxOFiaE6Gi2HDP CCqxyC3zatnocdW+xY86Bw2hKnGLfusBsWrQUnwjjL1FHKl2PZgAhKLqX4zC1k2E d1LYerXj1co5p34tx6mWD3DkiPxODmRUGymZvJzGSwrz9JuDy9uj6yVU0MDP2/oL GoHQZFx5KggMIFyj2oiVFnKDz8YGFgij/Q4eeUsAYpx0rssJNTo2eXQ/mArATXqf YLAR3trNlULYmmPSMKwuVuKF+KI9uAnnyMvl3jPb6yd2nhZH77m3EjaesX/xRrLU GK0ZDxkbXYdSanP3dCa0ud1qXXfXpli9uIMGVY6lzdRUdrH+t8JQH1rbSPb7nYp3 AakUK/YPd6gPv//3uTmtxFvWW00f9brdP7hHMvVtnQvqjETH4c5sfooMnRWBzpQm YNoxKie1ekfJ99KVkX2NXVfJUmpUTrrIZTuUGFGhCTuYOKSl26tDtwXra2z6tgkX HT5cg7/Mlb5gUJBvkJKe =NEAD -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org