tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Quirynen <nat...@pensionarchitects.be>
Subject Re: Client authentication for specific path
Date Wed, 08 Oct 2014 13:30:05 GMT
On 03/10/14 21:18, Cédric Couralet wrote:
> 2014-10-03 17:42 GMT+02:00 Nathan Quirynen <nathan@pensionarchitects.be>:
>> On 02/10/14 19:00, Christopher Schultz wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Nathan,
>>
>> On 10/1/14 12:16 PM, Nathan Quirynen wrote:
>>
>> On 01/10/14 18:08, Christopher Schultz wrote: Nathan,
>>
>> On 10/1/14 10:02 AM, Nathan Quirynen wrote:
>>
>> Hi Tomcat users,
>>
>> A current application has client authentication configured in
>> the SSL Connector (server.xml):
>>
>> <Connector port="8443" ... clientAuth="true"
>> keystoreFile=".keystore" keystorePass="..."
>> truststoreFile=".truststore" truststorePass="..." />
>>
>> And the CA root certificates have been added to the
>> truststore.
>>
>> This way it asks for a client certificate in any case, which
>> works and is fine for this application. For a new application
>> the use case is a bit different. I only need client
>> authentication for a specific defined path (for example:
>> /secured/*). After some research I found this was possible
>> with defining this on application level in the web.xml file.
>> So I changed my configuration to:
>>
>> server.xml:
>>
>> <Connector port="8443" ... clientAuth="false"
>> keystoreFile=".keystore" keystorePass="..."
>> truststoreFile=".truststore" truststorePass="..." />
>>
>> web.xml:
>>
>> <security-constraint> <web-resource-collection>
>> <web-resource-name>Secureconn</web-resource-name>
>> <url-pattern>/secured/*</url-pattern>
>> <http-method>GET</http-method> </web-resource-collection>
>> <auth-constraint> <role-name>secureconn</role-name>
>> </auth-constraint> </security-constraint> <login-config>
>> <auth-method>CLIENT-CERT</auth-method>
>> <realm-name>Secureconn</realm-name> </login-config>
>> <security-role> <role-name>secureconn</role-name>
>> </security-role>
>>
>>
>> In this case it actually only asks for client authentication
>> when going to for example "secured/home" page. But I'm
>> getting a 401 message code.
>>
>> What am I missing to get people authenticated based on the CA
>> root certificates that are in the configured truststore? Is
>> it even possible what I am trying?
>>
>> What happens if you change clientAuth="false" to
>> clientAuth="want"?
>>
>> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> Hey Chris,
>>
>> If I change it to want I still get the same error:
>>
>> HTTP Status 401 - Cannot authenticate with the provided
>> credentials
>>
>> So just to be sure, the only difference between the application you
>> have that is working and the one that is not working is that you have
>> a different <url-pattern> in your web.xml?
>>
>> Generally speaking, Tomcat will authenticate the client certificate
>> just using the configuration at the <Connector> level. Using
>> CLIENT-CERT in the application is used for application credentials --
>> such as establishing roles to be used with role-based permissions.
>>
>> Do you intend to use role-based permissions and all that other stuff,
>> or do you just want to make sure that the client has a valid certificate?
>>
>> If you just want to make sure that the certificate is valid, then you
>> want to use clientAuth="want" and remove the configuration you have
>> from web.xml. Next, you will need to write a Filter that grabs the
>> X509 certificate from the request and does manual checking.
>>
>> You might be able to get some help from a series of posts I wrote a
>> few years ago about manually-handling X509 certificates:
>> http://markmail.org/message/kzxsamuiu6bldjmv
>>
>> Hope that helps,
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: GPGTools - http://gpgtools.org
>>
>> iQIcBAEBCAAGBQJULYSZAAoJEBzwKT+lPKRYorwP/1GT+aPdAK5Vu2piCp+4ZDXQ
>> kGm42DzD0FBM8oKI2vgPj/hvOTEYC+e7EndxxUbhaSoek0O71hlEeWfnhrCt3lNs
>> xKHBhwXHeVwxOkSHsjZKfzHqoJgHhMBBVU5rQHQ1mwIT71bayNSYVuG/QRZFffoM
>> lef1YTql+jt+LOgfJauD/yozYG2fblEMMEcUWfBtpruEFVns6Vu2m5vwKwn7si2K
>> 13SjiqoULIOf6FkiKXiCewXACq98KLbjo21m5SkUNDgFiE6wWquOX/uyQBBP8n+p
>> B2H6b6YlQAj1KOBtH+yd+0vnW6BwjI9ZxHDfT7t8Ii1zBwUDFj3QZOJ5RXFwteQR
>> cFjJXxmRliD/EuEfjZuHD5U9d51Eq44RU6p3/8cuIg90gx8fPYBULJimXRX6v4ca
>> EdTmqnJyxZeh2WoNAY2k+24OxwwxKSZUErxm0biBAy/wcqT1O1ePkaCI6YQx1Vkj
>> TnHxleVWvr2FpZDp1apmTcgzP0gBnD6fOG8ltf8Nqe/Ax4l6nhdK3Q19YLTt2Q2z
>> IKX7oUOYru0GNuICtsNYz0EprzdMxnv28v3SBYLSfHln9J5WWtfBeOlKxMPmP0Fg
>> ZJG/X/zUUC2IxDNe6u7ZdZr/vqxDLyZxc74ugiVIxveutzrXOHdxnPRIzbEXjYIC
>> umadSoe7yZwlcEAAQFG/
>> =bMuo
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> Yes that's what I want. But when I set clientAuth to "want" it asks for the client
certificate on every path, which I don't want... I only want client authentication on the
specified path.
>> I'm wondering if I can solve what I need with Tomcat alone. Maybe I should put Apache
in front?
>
>  One way you could do it would be to :
>     - set clientAuth="false" in your connector
>     - add the security-constraint as you did except for the security-role :
>               <security-role>
>                      <role-name>*</role-name>
>              </security-role>
>  As said before, this will add the SSLAuthenticator which will ask for
> a certificate if not present (at the cost of one round trip), and
> validate that certificate on the realm for the context.
> Then you have to add a realm which does nothing else than return true
> with any certificate, by coding your own realm implementation,
> something like :
>
> public class MyRealm extends NullRealm{
>
>     @Override
>     protected Principal getPrincipal(X509Certificate certificate) {
>
>         return new GenericPrincipal(certificate.getSubjectDN,null);
>     }
>
> }
>
> Then, in your context.xml file (META-INF/context.xml or
> conf/Catalina/localhost/appname.xml), add that custom realm :
>
> <Context>
> <Realm className="my.package.MyRealm" validate="true" allRolesMode="authOnly"/>
> </Context>
>
> With this, the SSLAuthenticator should call your Realm and get a
> principal with the subjectDN as principal name and no roles.
> validate="true" will validate the client certificate.
> allRolesMode="authOnly" should tell tomcat to not verify any roles
> (this works with the * in security-role)
>
> This should do what you want, but there may be some security
> implication I did not see, or a much simpler way to get what you want.
>
> Good luck,
>
> --
>
> Cédric
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Hey, thanks for the explanation.
I have tried exactly what you explained in the email above. It seems to
work, except in Internet Explorer (8) I'm getting following error:

javax.net.ssl.SSLHandshakeException: Insecure renegotiation is not allowed
    at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.kickstartHandshake(SSLSocketImpl.java:1249)
    at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1218)
    at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1199)
    at
org.apache.tomcat.util.net.jsse.JSSESupport.handShake(JSSESupport.java:180)
    ...

I'm not sure why I get this error and why only in IE8 (have only tested
on version 8, will test on newer versions when possible).
All I can find on that error is that I can fix it by setting
sun.security.ssl.allowUnsafeRenegotiation to true, but this is unsafe
(even the name says it), so doesn't seem like a solution.

Anyone that has an idea what could be causing this?

Thanks for all the help this far!


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message