tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Client authentication for specific path
Date Wed, 01 Oct 2014 16:08:00 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Nathan,

On 10/1/14 10:02 AM, Nathan Quirynen wrote:
> Hi Tomcat users,
> 
> A current application has client authentication configured in the
> SSL Connector (server.xml):
> 
> <Connector port="8443" ... clientAuth="true" 
> keystoreFile=".keystore" keystorePass="..." 
> truststoreFile=".truststore" truststorePass="..." />
> 
> And the CA root certificates have been added to the truststore.
> 
> This way it asks for a client certificate in any case, which works
> and is fine for this application. For a new application the use
> case is a bit different. I only need client authentication for a
> specific defined path (for example: /secured/*). After some
> research I found this was possible with defining this on 
> application level in the web.xml file. So I changed my
> configuration to:
> 
> server.xml:
> 
> <Connector port="8443" ... clientAuth="false" 
> keystoreFile=".keystore" keystorePass="..." 
> truststoreFile=".truststore" truststorePass="..." />
> 
> web.xml:
> 
> <security-constraint> <web-resource-collection> 
> <web-resource-name>Secureconn</web-resource-name> 
> <url-pattern>/secured/*</url-pattern> 
> <http-method>GET</http-method> </web-resource-collection> 
> <auth-constraint> <role-name>secureconn</role-name> 
> </auth-constraint> </security-constraint> <login-config> 
> <auth-method>CLIENT-CERT</auth-method> 
> <realm-name>Secureconn</realm-name> </login-config> 
> <security-role> <role-name>secureconn</role-name> </security-role>
> 
> 
> In this case it actually only asks for client authentication when
> going to for example "secured/home" page. But I'm getting a 401
> message code.
> 
> What am I missing to get people authenticated based on the CA root 
> certificates that are in the configured truststore? Is it even
> possible what I am trying?

What happens if you change clientAuth="false" to clientAuth="want"?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJULCbgAAoJEBzwKT+lPKRYOBEQAKiq+0JvnpI4nAXDb7L0YzHR
BjISQH6yWa8sURbDfxUMdNdOdbYDc0J3RLvakz4IKFQjKIoRnR6gC6OdTS27sfrt
iMvi/NDb3wqGkl/aPfQa98zgvasKTzsj01yWLATwxfH66Sb3w1NKTnxs7BiQim2m
f5EfxdPS5h7FZekhSQyh4KXTejJ6XYRRgmTKeP2V9ARlJBjpyeVkM/C1pUfgEhD+
wvsSsBplF4g+Loo4saN4Ap1UcxGsjEnkW8lPpgo9Ax0J/jT3nmieK2ZryG6coDY9
6OhYxBz5CLcwrYPMQvlTb9rVMMzNt2g8bbSY0lI1HQGfJaOROIfASkpOqXM1p//c
XXPj8OEFrpJMn1L8IN/GX7HJruCxyLU0oo3qFZNNjQp15zzK5eAJgtONJON+ke9G
Lv17PbyHEW5NecnFDwvg4sJPy4RHzBLWgwmvYmqMknySjtEj58SB9M4U9Xyrlwoe
XsaG9r1OaOlNb249+hRBCzbTZcsn3IP/dgKsWXmsbfvfdOuRsuGbPHXG9AXe7T9S
J+GD23SPTPHFHzEdqEYQ0RxPhQomzt4jfvbrmvKxxVLe+oi2JqHMwpoNSOxHBBD9
GDzX9PZimKv3Sh1bs8QzDCWAYLURxyrirjqcqyVqUEi0QYI+7rXk+TldR/bKNJ5H
/6BMe3EQMH3NySBGeClG
=eSSR
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message