From users-return-264679-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Fri May 4 20:41:38 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 7BF58180634 for ; Fri, 4 May 2018 20:41:37 +0200 (CEST) Received: (qmail 82483 invoked by uid 500); 4 May 2018 18:41:35 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 82470 invoked by uid 99); 4 May 2018 18:41:35 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 May 2018 18:41:35 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id D29D91A270F for ; Fri, 4 May 2018 18:41:34 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.998 X-Spam-Level: * X-Spam-Status: No, score=1.998 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=serenasoftware.onmicrosoft.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id b5yoybWaYBzp for ; Fri, 4 May 2018 18:41:33 +0000 (UTC) Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0132.outbound.protection.outlook.com [104.47.40.132]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 84E465F4E4 for ; Fri, 4 May 2018 18:41:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=SERENASOFTWARE.onmicrosoft.com; s=selector1-serena-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=t76hU4310WkFGCsJquElQlPgVQR7QPNgRIghx/+872I=; b=dONIRKFZ0QwUKxmtDhAM9NwqOw8dvEGfAn9J8IWHxPpOrEeiThmyfoUDtL3yyxPxIXogEgqSSiLs0F5vVe5o8iSsOEKSh5QpFG2uETvvz2jAWLrMR2ebw06mHbaZZt6wcolFEiZdXDYRsSyJRWWC3ufbbIAdqgWXt//ZPe1cWgo= Received: from MWHPR0501MB3914.namprd05.prod.outlook.com (10.167.173.33) by MWHPR0501MB3851.namprd05.prod.outlook.com (10.167.173.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.755.10; Fri, 4 May 2018 18:41:25 +0000 Received: from MWHPR0501MB3914.namprd05.prod.outlook.com ([fe80::6c5e:8690:70ed:913]) by MWHPR0501MB3914.namprd05.prod.outlook.com ([fe80::6c5e:8690:70ed:913%5]) with mapi id 15.20.0755.010; Fri, 4 May 2018 18:41:25 +0000 From: George Stanchev To: "users@tomcat.apache.org" Subject: client cert authentication Thread-Topic: client cert authentication Thread-Index: AdPj0m7FO96EGheFQaCMn1sedV2i3Q== Date: Fri, 4 May 2018 18:41:24 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Gstanchev@serena.com; x-originating-ip: [73.63.44.60] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;MWHPR0501MB3851;7:FCIajsTRUWoDCB2Mpi/r060UgpHucWnJH75eaIx1aGP/wIA47PE5GPM62rDbNsVNY+moG4NB7T1L7jWaD6yK1KIVWiMw2+CITOG9daYwPB7cCcENmqnIA9h8lUMn9GA0NZCH4luexvv2tGawtduatzXx3AOlmKd7AuUovMCMrOTglDOWzdb7v0rLqalMXa6PjPMgM5xXMk7yZ1WNJpfzV7XkpGoIdL7Ha9p3b9MmQQHh/PuWDMdjbFlisEa6VqYY x-ms-exchange-antispam-srfa-diagnostics: SOS; x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020);SRVR:MWHPR0501MB3851; x-ms-traffictypediagnostic: MWHPR0501MB3851: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(28532068793085)(21748063052155); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(6040522)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3231254)(944501410)(52105095)(3002001)(6041310)(20161123560045)(20161123564045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(6072148)(201708071742011);SRVR:MWHPR0501MB3851;BCL:0;PCL:0;RULEID:;SRVR:MWHPR0501MB3851; x-forefront-prvs: 06628F7CA4 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(39380400002)(366004)(39850400004)(396003)(346002)(376002)(199004)(189003)(86362001)(106356001)(105586002)(2900100001)(68736007)(5660300001)(1240700005)(186003)(2906002)(7116003)(14454004)(66066001)(8676002)(1730700003)(97736004)(7736002)(81166006)(554214002)(9686003)(81156014)(53936002)(55016002)(486006)(6916009)(2501003)(5250100002)(6306002)(476003)(80792005)(74316002)(6506007)(6436002)(102836004)(59450400001)(54896002)(8936002)(72206003)(478600001)(3480700004)(3660700001)(33656002)(7696005)(790700001)(99286004)(5640700003)(3280700002)(316002)(26005)(6116002)(25786009)(2351001)(3846002)(133083001);DIR:OUT;SFP:1102;SCL:1;SRVR:MWHPR0501MB3851;H:MWHPR0501MB3914.namprd05.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1; received-spf: None (protection.outlook.com: serena.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: g2o0obel6OT+kuHnahUfrrffiDYZw/tdVizoM/+Si/SmzuV/w8S6E4l1tpbg7LzyExONBpOnnqp9SY92ajsKPqhH1nCetTRRtz+wUFRwxLP0dNEctwCHrNR6UHJi/VTKdXnZ685zwLF623sE7nQNmEh//hkXhgn04ZRArDycqs6urkYyttnetOmFpgsfGsxc spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_MWHPR0501MB3914E497F6AE2ABE046839F3CC860MWHPR0501MB3914_" MIME-Version: 1.0 X-MS-Office365-Filtering-Correlation-Id: d0b19403-d91d-443f-953d-08d5b1eea3bc X-OriginatorOrg: serena.com X-MS-Exchange-CrossTenant-Network-Message-Id: d0b19403-d91d-443f-953d-08d5b1eea3bc X-MS-Exchange-CrossTenant-originalarrivaltime: 04 May 2018 18:41:24.9660 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 0259ca67-08ed-4be7-b82b-812565f41f8c X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR0501MB3851 --_000_MWHPR0501MB3914E497F6AE2ABE046839F3CC860MWHPR0501MB3914_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I guess I am looking for some pointers how to approach a certain scenario f= rom "the right way" of implementing it. Say you have a standard login form = with user/pass edits and "Login" and "Smartcard" buttons. The "Login" butto= n does Its obvious thing. The "Smartcard" button authenticates the user usi= ng client cert SSL. The actual certificate validation happens way downstrea= m of the login page controller so all it needs to do is to extract it from = the request and pass it on to the backend. The login page can be served eit= her over http or https. The way currently is implemented, is for the "Smart= card" for the servlet to detect that the "Smartcard" has been pressed and t= o 302 to a specially designated https connector that has "clientAuth=3D"tru= e"+"trustManagerClassName=3D... AnyCertX509TrustManager" attributes that ha= ndle the client cert authentication. I suspect though that this is a hack, = and there could be a more clever way to handle this with either forwarding = or somehow manually upgrading the connection from HTTP to HTTPS/clientAuth = or HTTPS to HTTPS/clientAuth to challenge for a client certificate. I'd lik= e to eliminate the 302 and the maintenance of a separate connector. Some po= inters/advice would be appreciated... --_000_MWHPR0501MB3914E497F6AE2ABE046839F3CC860MWHPR0501MB3914_--