tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Gronosky <>
Subject Re: Newbie question re certificates
Date Tue, 02 Dec 2014 13:09:11 GMT

On 2014-12-02 04:55, John Dunn wrote:
> I have been asked the following question during an audit, which I personally don't understand.
> "When using Mutually authenticated TLS  is authorisation based on the certificate name(and
not just on the root CA)?"
> Can anyone clarify what exactly this means and whether Tomcat supports this?
> Cheers

I believe the question is asking whether, during the authentication 
process, Tomcat inspects the certificate and reads the CN of the client 
cert, then matches it against the set of known users (defined in 
whatever Realm you are using).

I found out just yesterday that the answer is yes, at least for Tomcat 7.

There are really two things going on with the client certs in mutual 
authentication. First, the server requests the client cert in order to 
complete the TLS handshake and establish a connection. Next, *after* the 
TLS connection is open, if the resource being accessed has an 
auth-constraint in web.xml, Tomcat checks the CN, matches it to a user 
name, maps that name to a role, and checks that the role is allowed to 
access the resource.

As I discovered yesterday, if you have a client cert that is signed by a 
CA that Tomcat trusts, but whose name (synonymously, CN) does not map to 
a recognized user, then you will connect to Tomcat but get an HTTP 401 
error as your response.  If the user name is recognized but lacks the 
required role, you get HTTP 403.

Hope this helps,

Andrew Gronosky
Raytheon BBN Technologies
10 Moulton Street
Cambridge, MA 02138

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message