tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Amit Pande <Amit.Pa...@veritas.com>
Subject Re: [EXTERNAL] Using CLIENT-CERT
Date Mon, 09 Apr 2018 22:29:43 GMT
Some more debugging here and I got some stuff working here.

Only one question:

It is not really clear from the documentation of "clientAuth"

"Set to true if you want the SSL stack to require a valid certificate chain from the client
before accepting a connection. Set to want if you want the SSL stack to request a client Certificate,
but not fail if one isn't presented. A false value (which is the default) will not require
a certificate chain unless the client requests a resource protected by a security constraint
that uses CLIENT-CERT authentication. See the SSL HowTo for an example. That SSL HowTo also
contains tips on using per-user or per-session certificate-based clientAuth."

So, if I am using a clientAuth="false" and relying on "CLIENT-CERT" configuration, does that
mean browsers won't prompt users to supply the certificate when a protected resource is accessed?

Is it because in case of "CLIENT-CERT", the client is always expected to supply a certificate?
 If yes, is there any recommended practice to configure browser for this? Or application needs
to take care of supplying one when accessing such a protected resource?

Appreciate your inputs.



On 4/8/18, 6:44 PM, "Amit Pande" <Amit.Pande@veritas.com> wrote:

    I am trying to setup Tomcat (8.5.28) and the web-app correctly in order to get the mutual
authentication (using client certificates) done but only for some recourses and not all.
    
    For instance, I have a “authenticate” API for which I want to enable the client certificate
authentication.  So, I want only a “/authenticate” URL to ask for a client certificate
from the browser.
    
    I want to first validate if this client certificate is issued by a trusted CA. If yes,
accept the request and invoke the “/authenticate” business logic which further validates
the certificate/user against our own user database.
    
    Looking at Tomcat documentation “clientAuth=want” in server.xml seemed a potential
option but the issue with that is when this results in asking for user certificate for all
the URLs being invoked from the Browser (unless we tell Browser to remember the decision).
Also, this approach results in renegotiation for every request.
    
    This is when I came across, “CLIENT-CERT” alternate, which can be configured only
for certain URL (e.g. “/authenticate” in my case). However, I am not able to get it configured
as expected. I issued a client certificate and imported in browser but still unable to get
the browser pop-up which asks for the certificate to be sent. Debugging SSL level did not
yield much.
    
    https://stackoverflow.com/questions/41438536/protecting-webresource-in-tomcat-8-5-with-client-cert
    
    This is the link that closely matches the requirement and I saw Chris’ input there.
However,
    
    
    “Realm className="org.apache.catalina.realm.UserDatabaseRealm"
        allRolesMode="authOnly"
        resourceName="UserDatabase" />
    “
    In server.xml
    
    And
    
    
    <security-constraint>
    
      <web-resource-collection>
    
        <web-resource-name>My Secure Area</web-resource-name>
    
        <url-pattern>/authenticate</url-pattern>
    
      </web-resource-collection>
    
      <user-data-constraint>
    
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    
      </user-data-constraint>
    
      <auth-constraint>
    
          <role-name>*</role-name>
    
      </auth-constraint>
    
    </security-constraint>
    
    In my web app’s web.xml.
    
    When I access the URL from browser, I expected to see a dialog asking for client-certificate
and then a successful invocation of the “/authenticate”. However, from browser, I don’t
get a pop-up and I get a HTTP 401 with below message.
    
    
    Message Cannot authenticate with the provided credentials
    
    Description The request has not been applied because it lacks valid authentication credentials
for the target resource.
    
    
    Appreciate your help on this.
    
    Thanks,
    Amit
    


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Mime
View raw message