tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Client authentication for specific path
Date Thu, 02 Oct 2014 17:00:09 GMT
Hash: SHA256


On 10/1/14 12:16 PM, Nathan Quirynen wrote:
> On 01/10/14 18:08, Christopher Schultz wrote: Nathan,
> On 10/1/14 10:02 AM, Nathan Quirynen wrote:
>>>> Hi Tomcat users,
>>>> A current application has client authentication configured in
>>>> the SSL Connector (server.xml):
>>>> <Connector port="8443" ... clientAuth="true" 
>>>> keystoreFile=".keystore" keystorePass="..." 
>>>> truststoreFile=".truststore" truststorePass="..." />
>>>> And the CA root certificates have been added to the
>>>> truststore.
>>>> This way it asks for a client certificate in any case, which
>>>> works and is fine for this application. For a new application
>>>> the use case is a bit different. I only need client
>>>> authentication for a specific defined path (for example:
>>>> /secured/*). After some research I found this was possible
>>>> with defining this on application level in the web.xml file.
>>>> So I changed my configuration to:
>>>> server.xml:
>>>> <Connector port="8443" ... clientAuth="false" 
>>>> keystoreFile=".keystore" keystorePass="..." 
>>>> truststoreFile=".truststore" truststorePass="..." />
>>>> web.xml:
>>>> <security-constraint> <web-resource-collection> 
>>>> <web-resource-name>Secureconn</web-resource-name> 
>>>> <url-pattern>/secured/*</url-pattern> 
>>>> <http-method>GET</http-method> </web-resource-collection>

>>>> <auth-constraint> <role-name>secureconn</role-name> 
>>>> </auth-constraint> </security-constraint> <login-config>

>>>> <auth-method>CLIENT-CERT</auth-method> 
>>>> <realm-name>Secureconn</realm-name> </login-config> 
>>>> <security-role> <role-name>secureconn</role-name>
>>>> </security-role>
>>>> In this case it actually only asks for client authentication
>>>> when going to for example "secured/home" page. But I'm
>>>> getting a 401 message code.
>>>> What am I missing to get people authenticated based on the CA
>>>> root certificates that are in the configured truststore? Is
>>>> it even possible what I am trying?
> What happens if you change clientAuth="false" to
> clientAuth="want"?
> -chris
>> ---------------------------------------------------------------------
To unsubscribe, e-mail:
>> For additional commands, e-mail:
> Hey Chris,
> If I change it to want I still get the same error:
> HTTP Status 401 - Cannot authenticate with the provided
> credentials

So just to be sure, the only difference between the application you
have that is working and the one that is not working is that you have
a different <url-pattern> in your web.xml?

Generally speaking, Tomcat will authenticate the client certificate
just using the configuration at the <Connector> level. Using
CLIENT-CERT in the application is used for application credentials --
such as establishing roles to be used with role-based permissions.

Do you intend to use role-based permissions and all that other stuff,
or do you just want to make sure that the client has a valid certificate?

If you just want to make sure that the certificate is valid, then you
want to use clientAuth="want" and remove the configuration you have
from web.xml. Next, you will need to write a Filter that grabs the
X509 certificate from the request and does manual checking.

You might be able to get some help from a series of posts I wrote a
few years ago about manually-handling X509 certificates:

Hope that helps,
- -chris
Version: GnuPG v1
Comment: GPGTools -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message