tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From George Stanchev <Gstanc...@serena.com>
Subject RE: Demand CLIENT-CERT only on certain pages but demand SSL in all pages
Date Tue, 06 Oct 2015 14:46:16 GMT
Mark,

What are the possible issues with renegotiation? We're on NIO connectors, is there anything
known?

George

-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org] 
Sent: Monday, October 05, 2015 8:32 AM
To: Tomcat Users List
Subject: Re: Demand CLIENT-CERT only on certain pages but demand SSL in all pages

On 05/10/2015 12:05, Gael Abadin wrote:
> Hello, fellow users.
> 
> I've been trying to configure tomcat to request client certificate 
> authentication on a single page, while serving every other SSL page 
> without requesting a client certificate (before or after 
> authentication). Depending on the configuration I use, one of 2 things 
> happen: either I get a request for a client certificate on ANY HTTPS 
> page I visit first, or I do not get a request at all, never, even when 
> I launch the browser and go straight to the protected page (/my-app-name/public/login/login.xhtml).
> 
> Am I doing something wrong or is this kind of configuration just not 
> possible?

That should be possible but you'll need two security constraints. One to require TLS everywhere
and one for the pages where you require authentication.

You may also hit issues with which connectors support renegotiation (don't use APR).

Mark

> 
> Here is my web.xml security constraint and login config (I've also 
> tried ommitin <login-config>):
> 
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>Protected Context</web-resource-name>
>       <url-pattern>/public/login/*</url-pattern>
>     </web-resource-collection>
>     <user-data-constraint>
>       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>     </user-data-constraint>
>   </security-constraint>
>   <login-config>
>     <auth-method>CLIENT-CERT</auth-method>
>   </login-config>
> 
> 
> And here is my server.xml config (I've also tried clientAuth="false" 
> and
> clientAuth="true"):
> 
> <?xml version="1.0" encoding="UTF-8"?> <Server port="8005" 
> shutdown="SHUTDOWN">
>   <Listener 
> className="org.apache.catalina.startup.VersionLoggerListener"/>
> 
>   <!--APR library loader. Documentation at /docs/apr.html -->
>   <Listener SSLEngine="on"
> className="org.apache.catalina.core.AprLifecycleListener"/>
>   <!--Initialize Jasper prior to webapps are loaded. Documentation at 
> /docs/jasper-howto.html -->
>   <Listener className="org.apache.catalina.core.JasperListener"/>
>   <!-- Prevent memory leaks due to use of particular java/javax APIs-->
>   <Listener
> className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
>   <Listener
> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
>   <Listener
> className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"
> />
> 
>   <GlobalNamingResources>
>     <Resource auth="Container" description="User database that can be 
> updated and saved"
> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
> name="UserDatabase" pathname="conf/tomcat-users.xml"
> type="org.apache.catalina.UserDatabase"/>
>   </GlobalNamingResources>
> 
>   <Service name="Catalina">
> 
>     <Connector connectionTimeout="20000" port="80" protocol="HTTP/1.1"
> redirectPort="443"/>
> 
>     <Connector SSLEnabled="true" clientAuth="want" maxThreads="150"
> port="443" protocol="org.apache.coyote.http11.Http11Protocol"
> scheme="https" secure="true" sslProtocol="TLS"/>
> 
>     <Connector port="8009" protocol="AJP/1.3" redirectPort="443"/>
> 
>     <Engine defaultHost="localhost" name="Catalina">
>       <Realm className="org.apache.catalina.realm.LockOutRealm">
>         <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase"/>
>       </Realm>
>       <Host appBase="webapps" autoDeploy="true" name="localhost"
> unpackWARs="true">
>         <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b"
> prefix="localhost_access_log." suffix=".txt"/>
>         <Context docBase="my-app-name" path="/my-app-name"
> reloadable="true" source="org.eclipse.jst.jee.server:cividas-core-web"/>
>       </Host>
>     </Engine>
>   </Service>
> </Server>
> 
> It is my first Tomcat SSL client cert set up so I must be missing 
> something. Hope you may help me see it :-)
> 
> Cheers,
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Mime
View raw message