tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Quirynen <nat...@pensionarchitects.be>
Subject Re: Client authentication for specific path
Date Wed, 01 Oct 2014 16:16:45 GMT
On 01/10/14 18:08, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Nathan,
>
> On 10/1/14 10:02 AM, Nathan Quirynen wrote:
>> Hi Tomcat users,
>>
>> A current application has client authentication configured in the
>> SSL Connector (server.xml):
>>
>> <Connector port="8443" ... clientAuth="true" 
>> keystoreFile=".keystore" keystorePass="..." 
>> truststoreFile=".truststore" truststorePass="..." />
>>
>> And the CA root certificates have been added to the truststore.
>>
>> This way it asks for a client certificate in any case, which works
>> and is fine for this application. For a new application the use
>> case is a bit different. I only need client authentication for a
>> specific defined path (for example: /secured/*). After some
>> research I found this was possible with defining this on 
>> application level in the web.xml file. So I changed my
>> configuration to:
>>
>> server.xml:
>>
>> <Connector port="8443" ... clientAuth="false" 
>> keystoreFile=".keystore" keystorePass="..." 
>> truststoreFile=".truststore" truststorePass="..." />
>>
>> web.xml:
>>
>> <security-constraint> <web-resource-collection> 
>> <web-resource-name>Secureconn</web-resource-name> 
>> <url-pattern>/secured/*</url-pattern> 
>> <http-method>GET</http-method> </web-resource-collection> 
>> <auth-constraint> <role-name>secureconn</role-name> 
>> </auth-constraint> </security-constraint> <login-config> 
>> <auth-method>CLIENT-CERT</auth-method> 
>> <realm-name>Secureconn</realm-name> </login-config> 
>> <security-role> <role-name>secureconn</role-name> </security-role>
>>
>>
>> In this case it actually only asks for client authentication when
>> going to for example "secured/home" page. But I'm getting a 401
>> message code.
>>
>> What am I missing to get people authenticated based on the CA root 
>> certificates that are in the configured truststore? Is it even
>> possible what I am trying?
> What happens if you change clientAuth="false" to clientAuth="want"?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJULCbgAAoJEBzwKT+lPKRYOBEQAKiq+0JvnpI4nAXDb7L0YzHR
> BjISQH6yWa8sURbDfxUMdNdOdbYDc0J3RLvakz4IKFQjKIoRnR6gC6OdTS27sfrt
> iMvi/NDb3wqGkl/aPfQa98zgvasKTzsj01yWLATwxfH66Sb3w1NKTnxs7BiQim2m
> f5EfxdPS5h7FZekhSQyh4KXTejJ6XYRRgmTKeP2V9ARlJBjpyeVkM/C1pUfgEhD+
> wvsSsBplF4g+Loo4saN4Ap1UcxGsjEnkW8lPpgo9Ax0J/jT3nmieK2ZryG6coDY9
> 6OhYxBz5CLcwrYPMQvlTb9rVMMzNt2g8bbSY0lI1HQGfJaOROIfASkpOqXM1p//c
> XXPj8OEFrpJMn1L8IN/GX7HJruCxyLU0oo3qFZNNjQp15zzK5eAJgtONJON+ke9G
> Lv17PbyHEW5NecnFDwvg4sJPy4RHzBLWgwmvYmqMknySjtEj58SB9M4U9Xyrlwoe
> XsaG9r1OaOlNb249+hRBCzbTZcsn3IP/dgKsWXmsbfvfdOuRsuGbPHXG9AXe7T9S
> J+GD23SPTPHFHzEdqEYQ0RxPhQomzt4jfvbrmvKxxVLe+oi2JqHMwpoNSOxHBBD9
> GDzX9PZimKv3Sh1bs8QzDCWAYLURxyrirjqcqyVqUEi0QYI+7rXk+TldR/bKNJ5H
> /6BMe3EQMH3NySBGeClG
> =eSSR
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Hey Chris,

If I change it to want I still get the same error:

HTTP Status 401 - Cannot authenticate with the provided credentials






Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message