From users-return-264404-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Tue Apr 10 08:21:02 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id B66D418064C for ; Tue, 10 Apr 2018 08:21:01 +0200 (CEST) Received: (qmail 62208 invoked by uid 500); 10 Apr 2018 06:20:59 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 62193 invoked by uid 99); 10 Apr 2018 06:20:59 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Apr 2018 06:20:59 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id E86841A1A82 for ; Tue, 10 Apr 2018 06:20:58 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.972 X-Spam-Level: X-Spam-Status: No, score=0.972 tagged_above=-999 required=6.31 tests=[RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.972] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id V0IW60616bfp for ; Tue, 10 Apr 2018 06:20:57 +0000 (UTC) Received: from rgout06.bt.lon5.cpcloud.co.uk (rgout0605.bt.lon5.cpcloud.co.uk [65.20.0.132]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 790B15F18F for ; Tue, 10 Apr 2018 06:20:57 +0000 (UTC) X-OWM-Source-IP: 81.156.46.215 (GB) X-OWM-Env-Sender: medthomas@btinternet.com X-RazorGate-Vade-Classification: clean X-RazorGate-Vade-Verdict: clean 0 X-VadeSecure-score: verdict=clean score=0/300, class=clean X-SNCR-VADESECURE: CLEAN X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedtgedrheehgddutdejucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefffggjfhggtgfguffvhffksehtqhhmtddtreejnecuhfhrohhmpeforghrkhcuvfhhohhmrghsuceomhgrrhhkthesrghprggthhgvrdhorhhgqeenucffohhmrghinhepshhtrggtkhhovhgvrhhflhhofidrtghomhenucfkphepkedurdduheeirdegiedrvdduhedpvddufedrvddthedrvdegvddrgeeinecurfgrrhgrmhephhgvlhhopehmrghilhdrhhhomhgvihhnsghogidrnhgvthdpihhnvghtpeekuddrudehiedrgeeirddvudehpdhmrghilhhfrhhomhepoehmrghrkhhtsegrphgrtghhvgdrohhrgheqpdhrtghpthhtohepoehushgvrhhssehtohhmtggrthdrrghprggthhgvrdhorhhgqecuqfftvefrvfeprhhftgekvddvnehushgvrhhssehtohhmtggrthdrrghprggthhgvrdhorhhgnecuvehluhhsthgvrhfuihiivgeptd Received: from mail.homeinbox.net (81.156.46.215) by rgout06.bt.lon5.cpcloud.co.uk (9.0.019.26-1) (authenticated as medthomas@btinternet.com) id 5ACB6CE50010342A for users@tomcat.apache.org; Tue, 10 Apr 2018 07:20:51 +0100 Received: from localhost (localhost [127.0.0.1]) by mail.homeinbox.net (Postfix) with ESMTP id D7EEAF00369 for ; Tue, 10 Apr 2018 07:20:50 +0100 (BST) X-Virus-Scanned: Debian amavisd-new at homeinbox.net Received: from mail.homeinbox.net ([127.0.0.1]) by localhost (server03.homeinbox.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3AteGeojbVVi for ; Tue, 10 Apr 2018 07:20:50 +0100 (BST) Received: from [IPv6:2a01:4c8:80b:92c2:1:1:7de:591a] (unknown [213.205.242.46]) by mail.homeinbox.net (Postfix) with ESMTPSA id 689CFF00309 for ; Tue, 10 Apr 2018 07:20:50 +0100 (BST) Date: Tue, 10 Apr 2018 07:21:04 +0100 User-Agent: K-9 Mail for Android In-Reply-To: <479438B0-CD03-4FBC-8832-52406C9590D1@veritas.com> References: <479438B0-CD03-4FBC-8832-52406C9590D1@veritas.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Autocrypt: addr=markt@apache.org; keydata=mQINBEq0DukBEAD4jovHOPJDxoD+JnO1Go 2kiwpgRULasGlrVKuSUdP6wzcaqWmXpqtOJKKwW2MQFQLmg7nQ9RjJwy3QCbKNDJQA/bwbQT1F7W zTCz2S6vxC4zxKck4t6RZBq2dJsYKF0CEh6ZfY4dmKvhq+3istSoFRdHYoOPGWZpuRDqfZPdGm/m 335/6KGH59oysn1NE7a2a+kZzjBSEgv23+l4Z1Rg7+fpz1JcdHSdC2Z+ZRxML25eVatRVz4yvDOZ ItqDURP24zWOodxgboldV6Y88C3v/7KRR+1vklzkuA2FqF8Q4r/2f0su7MUVviQcy29y/RlLSDTT YoVlCZ1ni14qFU7Hpw43KJtgXmcUwq31T1+SlXdYjNJ1aFkUi8BjCHDcSgE/IReKUanjHzm4XSym KDTeqqzidi4k6PDD4jyHb8k8vxi6qT6Udnlcfo5NBkkUT1TauhEy8ktHhbl9k60BvvMBP9l6cURi Jg1WS77egI4P/82oPbzzFiGFqXyJKULVgxtdQ3JikCpodp3f1fh6PlYZwkW4xCJLJucJ5MiQp07H AkMVW5w+k8Xvuk4i5quh3N+2kzKHOOiQCDmN0sz0XjOE+7XBvM1lvz3+UarLfgSVmW8aheLd7eaI l5ItBk8844ZJ60LrQ+JiIqvqJemxyIM6epoZvY5a3ZshZpcLilC5hW8QARAQABtCJNYXJrIEUgRC BUaG9tYXMgPG1hcmt0QGFwYWNoZS5vcmc+iQI3BBMBCgAhBQJKtA7pAhsDBQsJCAcDBRUKCQgLBR YCAwEAAh4BAheAAAoJEBDAHFovYFnn2YgQAKN6FLG/I1Ij3PUlC/XNlhasQxPeE3w2OvttweOQPY kblJ9nHtGH5pNqG2/qoGShlpI04jJy9GxWKOo7NV4v7M0mbVlCXVgjdlvMFWdL7lnocggwJAFejQ cYlVtxyhu4m50LBvBunEhxCbQcKnnWmkB7Ocm0Ictaqjc9rCc1F/aNhVMUpJ0zG1kyTp9hxvN6Tb CQlacMx5ocTWzL0zn6QZhbUfrYwfxYJmSnkVYZOYzXIXIsLN5sJ9Q4P8tjY4qWgd+bQvOqPWrkzL 9LVRnGOrSYIsoM5zWdoj1g1glMzK/ZqJdRqqqBhe6FYTbXipz8oX8imCebcaxZnfLhGiqqX+yDa3 YUwDiqom+sZOc0iXGvKkqltPLpNeF0MVT7aZjalsQ/v2Ysb24RQl9FfjfWmvT8ZPWz8Kore1AI4U cIIgFVtM+zuLlL9CIsGjg+gHDE2dhZDY0qfizlHL9CoAWUDM3pIfxM2V4BRn1xO+j/mModhjmYLZ vnFVz4KGkNO7wRkofAANIWYo3WI5x83BGDH371t3NRrrpSSFP0XpQX6/Leaj2j6U6puABL2qBxhs csO6chc3u4/+019ff+peZVsc9ttcTQXsKIujmMb8p2sk5usmv6PKVX3oW/RAxpbVHU5kZ5px1Hq7 mMQdZfLs5ff4YymXBH02z4/RmSzPam0Xb5uQINBEq0DukBEADCNEkws5YroBmbu8789Xf006gTl5 LzD/Hdt3sAp9iCfPgucO+l7U+xbo1XHTMJQwEVfS+Rx3RbaLYRG+hU7FuJLQB/5NaCDNRuqw5KHy QtJUH+zo84IqqfMzG8aOSdHg1yr2xKH4QTmgQONBu/W0xEZmZro6TjYNwkk2pwXK2yuImZPUOy+m K1qF8Wm3hTtkPE+FFSNFIaeHDoTGmx/0Riu/K7dNJTrC0TlRpn2K6d60zB53YYTc+0DYSDyB0Fup XiAx/+XEGn3Q7eNi2BV6w50v5r51QP8zptiFflMfFKNAfV8xS5MteQd98YS5qqd/LPo3gS5HFPQa SL0k3RTClv7fQNHcZFqmv0OWpix6zm2npYxhqsTDGeSa52/uXehVXF5JubYFifMSLpbGVZqdrmG5 hr2cycxsjFiY0zJOaRitmN/JWbOGLiwrcN4ukKNyFntFG5jPaFnJdx9rHfyJNeF9cgv9JlZeFxJ6 WqIAhlKOuH3K8/py0SPE6ZOFfRo0YUxvh25K/siOcPLm613aOxyY7YfQ8ME2vgn7I0mAtg9am+YF DabGqj839odwZdzZv2T2mUHnybFTJFBuMWGWKYstYDS6eZEmhupbPvUKkDug/mO+gdo+pSKF9YS6 DM5RtCdTNJq4NZY50ypBb5RSj+INHPocIp2V/DDTbzySsu6wARAQABiQIfBBgBCgAJBQJKtA7pAh sMAAoJEBDAHFovYFnnLe0P/i34oK5cE2LlqUEITEcTO94x1EX0UmtKokRfQ3AYWK8XeFD8cmSty7 2hMkL+1c0V//4Qc53SUyLIWXk8FKWF7hdL3zyuBqlRb55721CYC35GA/jR90p0k1vr701gaat2cN TOVC0/6H9cE5yYXT+zMr9TSiKCDwONhhSbmAJZc6X0fgsmCD7I5xUI5VrihN/Wx0CZBtrXGUyE4h gFaYSGptZmkY5Ln1e+nI185Bda7bpLwcAIGrI9nYtVXgf71ybGKdPPtFfXIoPXuctn99M7NnWBhN uGDms2YWkOC7eeWBTxKkZDWR3vRmRy52B6GxR7USk/KXs7yqGPkfT/c4CZFfOurZUXXuC3PvOme0 DQmqwExtJormoG4Fy6suEFPrfhYMigTy7kSbVTCOBMjQLH+U/FFNshvg9+M/ZvaKT+0lpRvBSuG5 ngsC0bO0xWsXhb6qfH2h53g4VcwFvCBL5IfqgAeUbCnGGHNcGWpmwdeb7D7ahrNZSHEUUYR7lTbj kYS01/QDOcEwNZOqDRIJUQOOUq35721VeROkdhZmMZtFlsQeQJsWoqGrQo/kEYicVlMVOgjmOOzO a5fRb/IqlGlBn4a4me3hWthLLtMy+OOEim6ENjntVTBQiTP/YqrxWDbCkaD7b2e9wY5N3JlRxMIQ HfcHaND3PRdQSn7oHYXmJl Subject: Re: [EXTERNAL] Using CLIENT-CERT To: Tomcat Users List From: Mark Thomas Message-ID: <9BD2449F-7942-417B-B347-57D28F124582@apache.org> On 9 April 2018 23:29:43 BST, Amit Pande wrote= : >Some more debugging here and I got some stuff working here=2E > >Only one question: > >It is not really clear from the documentation of "clientAuth" > >"Set to true if you want the SSL stack to require a valid certificate >chain from the client before accepting a connection=2E Set to want if you >want the SSL stack to request a client Certificate, but not fail if one >isn't presented=2E A false value (which is the default) will not require >a certificate chain unless the client requests a resource protected by >a security constraint that uses CLIENT-CERT authentication=2E See the SSL >HowTo for an example=2E That SSL HowTo also contains tips on using >per-user or per-session certificate-based clientAuth=2E" > >So, if I am using a clientAuth=3D"false" and relying on "CLIENT-CERT" >configuration, does that mean browsers won't prompt users to supply the >certificate when a protected resource is accessed? In that scenario the browser will prompt the user for a certificate if eve= rything is correctly configured=2E However, it is possible that the browser will determine that it has no mat= ching certificates and therefore decide not to display the certificate prom= pt=2E Mark > >Is it because in case of "CLIENT-CERT", the client is always expected >to supply a certificate? If yes, is there any recommended practice to >configure browser for this? Or application needs to take care of >supplying one when accessing such a protected resource? > >Appreciate your inputs=2E > > > >=EF=BB=BFOn 4/8/18, 6:44 PM, "Amit Pande" wr= ote: > >I am trying to setup Tomcat (8=2E5=2E28) and the web-app correctly in ord= er >to get the mutual authentication (using client certificates) done but >only for some recourses and not all=2E > =20 >For instance, I have a =E2=80=9Cauthenticate=E2=80=9D API for which I wan= t to enable >the client certificate authentication=2E So, I want only a >=E2=80=9C/authenticate=E2=80=9D URL to ask for a client certificate from = the browser=2E > =20 >I want to first validate if this client certificate is issued by a >trusted CA=2E If yes, accept the request and invoke the =E2=80=9C/authent= icate=E2=80=9D >business logic which further validates the certificate/user against our >own user database=2E > =20 >Looking at Tomcat documentation =E2=80=9CclientAuth=3Dwant=E2=80=9D in se= rver=2Exml seemed >a potential option but the issue with that is when this results in >asking for user certificate for all the URLs being invoked from the >Browser (unless we tell Browser to remember the decision)=2E Also, this >approach results in renegotiation for every request=2E > =20 >This is when I came across, =E2=80=9CCLIENT-CERT=E2=80=9D alternate, whic= h can be >configured only for certain URL (e=2Eg=2E =E2=80=9C/authenticate=E2=80=9D= in my case)=2E >However, I am not able to get it configured as expected=2E I issued a >client certificate and imported in browser but still unable to get the >browser pop-up which asks for the certificate to be sent=2E Debugging SSL >level did not yield much=2E > =20 >https://stackoverflow=2Ecom/questions/41438536/protecting-webresource-in-= tomcat-8-5-with-client-cert > =20 >This is the link that closely matches the requirement and I saw Chris=E2= =80=99 >input there=2E However, > =20 > =20 > =E2=80=9CRealm className=3D"org=2Eapache=2Ecatalina=2Erealm=2EUserDat= abaseRealm" > allRolesMode=3D"authOnly" > resourceName=3D"UserDatabase" /> > =E2=80=9C > In server=2Exml > =20 > And > =20 > =20 > > =20 > > =20 > My Secure Area > =20 > /authenticate > =20 > > =20 > > =20 > CONFIDENTIAL > =20 > > =20 > > =20 > * > =20 > > =20 > > =20 > In my web app=E2=80=99s web=2Exml=2E > =20 >When I access the URL from browser, I expected to see a dialog asking >for client-certificate and then a successful invocation of the >=E2=80=9C/authenticate=E2=80=9D=2E However, from browser, I don=E2=80=99t= get a pop-up and I get >a HTTP 401 with below message=2E > =20 > =20 > Message Cannot authenticate with the provided credentials > =20 >Description The request has not been applied because it lacks valid >authentication credentials for the target resource=2E > =20 > =20 > Appreciate your help on this=2E > =20 > Thanks, > Amit > =20 > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: users-unsubscribe@tomcat=2Eapache=2Eorg >For additional commands, e-mail: users-help@tomcat=2Eapache=2Eorg >> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org