tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cédric Couralet <cedric.coura...@gmail.com>
Subject Re: Client authentication for specific path
Date Wed, 01 Oct 2014 16:50:22 GMT
2014-10-01 18:16 GMT+02:00 Nathan Quirynen <nathan@pensionarchitects.be>:
> On 01/10/14 18:08, Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Nathan,
>>
>> On 10/1/14 10:02 AM, Nathan Quirynen wrote:
>>> Hi Tomcat users,
>>>
>>> A current application has client authentication configured in the
>>> SSL Connector (server.xml):
>>>
>>> <Connector port="8443" ... clientAuth="true"
>>> keystoreFile=".keystore" keystorePass="..."
>>> truststoreFile=".truststore" truststorePass="..." />
>>>
>>> And the CA root certificates have been added to the truststore.
>>>
>>> This way it asks for a client certificate in any case, which works
>>> and is fine for this application. For a new application the use
>>> case is a bit different. I only need client authentication for a
>>> specific defined path (for example: /secured/*). After some
>>> research I found this was possible with defining this on
>>> application level in the web.xml file. So I changed my
>>> configuration to:
>>>
>>> server.xml:
>>>
>>> <Connector port="8443" ... clientAuth="false"
>>> keystoreFile=".keystore" keystorePass="..."
>>> truststoreFile=".truststore" truststorePass="..." />
>>>
>>> web.xml:
>>>
>>> <security-constraint> <web-resource-collection>
>>> <web-resource-name>Secureconn</web-resource-name>
>>> <url-pattern>/secured/*</url-pattern>
>>> <http-method>GET</http-method> </web-resource-collection>
>>> <auth-constraint> <role-name>secureconn</role-name>
>>> </auth-constraint> </security-constraint> <login-config>
>>> <auth-method>CLIENT-CERT</auth-method>
>>> <realm-name>Secureconn</realm-name> </login-config>
>>> <security-role> <role-name>secureconn</role-name> </security-role>
>>>
>>>
>>> In this case it actually only asks for client authentication when
>>> going to for example "secured/home" page. But I'm getting a 401
>>> message code.
>>>
>>> What am I missing to get people authenticated based on the CA root
>>> certificates that are in the configured truststore? Is it even
>>> possible what I am trying?
>> What happens if you change clientAuth="false" to clientAuth="want"?
>>

>
> Hey Chris,
>
> If I change it to want I still get the same error:
>
> HTTP Status 401 - Cannot authenticate with the provided credentials
>
>
>
>

This is because when you use the CLIENT-CERT auth-method, Tomcat add
the SSLAuthenticator to the context (your app) which validate the cert
on the realm.

By default, that realm is the UserDatabaseRealm which stores
credentials in tomcat-users.xml.

So several choices for you, add all the certificates DN in that file
with the right roles, or change the realm for something more suited to
your need.

Aside, you can also define which certificate attribute will be
resolved to search for the principal, in
X509UsernameRetrieverClassName
(http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html)

Cédric

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message