tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Quirynen <nat...@pensionarchitects.be>
Subject Re: Client authentication for specific path
Date Thu, 02 Oct 2014 15:05:02 GMT
On 01/10/14 18:50, Cédric Couralet wrote:
> 2014-10-01 18:16 GMT+02:00 Nathan Quirynen <nathan@pensionarchitects.be>:
>> On 01/10/14 18:08, Christopher Schultz wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> Nathan,
>>>
>>> On 10/1/14 10:02 AM, Nathan Quirynen wrote:
>>>> Hi Tomcat users,
>>>>
>>>> A current application has client authentication configured in the
>>>> SSL Connector (server.xml):
>>>>
>>>> <Connector port="8443" ... clientAuth="true"
>>>> keystoreFile=".keystore" keystorePass="..."
>>>> truststoreFile=".truststore" truststorePass="..." />
>>>>
>>>> And the CA root certificates have been added to the truststore.
>>>>
>>>> This way it asks for a client certificate in any case, which works
>>>> and is fine for this application. For a new application the use
>>>> case is a bit different. I only need client authentication for a
>>>> specific defined path (for example: /secured/*). After some
>>>> research I found this was possible with defining this on
>>>> application level in the web.xml file. So I changed my
>>>> configuration to:
>>>>
>>>> server.xml:
>>>>
>>>> <Connector port="8443" ... clientAuth="false"
>>>> keystoreFile=".keystore" keystorePass="..."
>>>> truststoreFile=".truststore" truststorePass="..." />
>>>>
>>>> web.xml:
>>>>
>>>> <security-constraint> <web-resource-collection>
>>>> <web-resource-name>Secureconn</web-resource-name>
>>>> <url-pattern>/secured/*</url-pattern>
>>>> <http-method>GET</http-method> </web-resource-collection>
>>>> <auth-constraint> <role-name>secureconn</role-name>
>>>> </auth-constraint> </security-constraint> <login-config>
>>>> <auth-method>CLIENT-CERT</auth-method>
>>>> <realm-name>Secureconn</realm-name> </login-config>
>>>> <security-role> <role-name>secureconn</role-name> </security-role>
>>>>
>>>>
>>>> In this case it actually only asks for client authentication when
>>>> going to for example "secured/home" page. But I'm getting a 401
>>>> message code.
>>>>
>>>> What am I missing to get people authenticated based on the CA root
>>>> certificates that are in the configured truststore? Is it even
>>>> possible what I am trying?
>>> What happens if you change clientAuth="false" to clientAuth="want"?
>>>
>> Hey Chris,
>>
>> If I change it to want I still get the same error:
>>
>> HTTP Status 401 - Cannot authenticate with the provided credentials
>>
>>
>>
>>
> This is because when you use the CLIENT-CERT auth-method, Tomcat add
> the SSLAuthenticator to the context (your app) which validate the cert
> on the realm.
>
> By default, that realm is the UserDatabaseRealm which stores
> credentials in tomcat-users.xml.
>
> So several choices for you, add all the certificates DN in that file
> with the right roles, or change the realm for something more suited to
> your need.
>
> Aside, you can also define which certificate attribute will be
> resolved to search for the principal, in
> X509UsernameRetrieverClassName
> (http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html)
>
> Cédric
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
With

"add all the certificates DN in that file
with the right roles"

you mean all the client certificates? Because that's not an option
(there's millions of client certificates).

I'm still not sure how I'm supposed to configure a realm to my needs.
When I search for tutorials all I get is people using tomcat-users.xml
and adding 1 client certificate...

Nathan

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message