Return-Path: 
 <users-return-249982-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 292CD176F1
	for <apmail-tomcat-users-archive@www.apache.org>;
 Thu,  2 Oct 2014 17:01:05 +0000 (UTC)
Received: (qmail 24575 invoked by uid 500); 2 Oct 2014 17:01:00 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 24498 invoked by uid 500); 2 Oct 2014 17:01:00 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 24486 invoked by uid 99); 2 Oct 2014 17:01:00 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Oct 2014 17:01:00 +0000
X-ASF-Spam-Status: No, hits=0.7 required=5.0
	tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (nike.apache.org: local policy)
Received: from [206.46.173.21] (HELO vms173021pub.verizon.net) (206.46.173.21)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Oct 2014 17:00:34 +0000
Received: from Christophers-MacBook-Pro.local ([unknown] [71.178.180.80])
 by vms173021.mailsrvcs.net
 (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009))
 with ESMTPA id <0NCT0069PTW9OAD0@vms173021.mailsrvcs.net> for
 users@tomcat.apache.org; Thu, 02 Oct 2014 12:00:13 -0500 (CDT)
Message-id: <542D8499.1050106@christopherschultz.net>
Date: Thu, 02 Oct 2014 13:00:09 -0400
From: Christopher Schultz <chris@christopherschultz.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0)
 Gecko/20100101 Thunderbird/31.1.2
MIME-version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Client authentication for specific path
References: <542C0985.6000000@pensionarchitects.be>
 <542C26E0.10402@christopherschultz.net>
 <542C28ED.8060005@pensionarchitects.be>
In-reply-to: <542C28ED.8060005@pensionarchitects.be>
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
X-Virus-Checked: Checked by ClamAV on apache.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Nathan,

On 10/1/14 12:16 PM, Nathan Quirynen wrote:
> On 01/10/14 18:08, Christopher Schultz wrote: Nathan,
> 
> On 10/1/14 10:02 AM, Nathan Quirynen wrote:
>>>> Hi Tomcat users,
>>>> 
>>>> A current application has client authentication configured in
>>>> the SSL Connector (server.xml):
>>>> 
>>>> <Connector port="8443" ... clientAuth="true" 
>>>> keystoreFile=".keystore" keystorePass="..." 
>>>> truststoreFile=".truststore" truststorePass="..." />
>>>> 
>>>> And the CA root certificates have been added to the
>>>> truststore.
>>>> 
>>>> This way it asks for a client certificate in any case, which
>>>> works and is fine for this application. For a new application
>>>> the use case is a bit different. I only need client
>>>> authentication for a specific defined path (for example:
>>>> /secured/*). After some research I found this was possible
>>>> with defining this on application level in the web.xml file.
>>>> So I changed my configuration to:
>>>> 
>>>> server.xml:
>>>> 
>>>> <Connector port="8443" ... clientAuth="false" 
>>>> keystoreFile=".keystore" keystorePass="..." 
>>>> truststoreFile=".truststore" truststorePass="..." />
>>>> 
>>>> web.xml:
>>>> 
>>>> <security-constraint> <web-resource-collection> 
>>>> <web-resource-name>Secureconn</web-resource-name> 
>>>> <url-pattern>/secured/*</url-pattern> 
>>>> <http-method>GET</http-method> </web-resource-collection> 
>>>> <auth-constraint> <role-name>secureconn</role-name> 
>>>> </auth-constraint> </security-constraint> <login-config> 
>>>> <auth-method>CLIENT-CERT</auth-method> 
>>>> <realm-name>Secureconn</realm-name> </login-config> 
>>>> <security-role> <role-name>secureconn</role-name>
>>>> </security-role>
>>>> 
>>>> 
>>>> In this case it actually only asks for client authentication
>>>> when going to for example "secured/home" page. But I'm
>>>> getting a 401 message code.
>>>> 
>>>> What am I missing to get people authenticated based on the CA
>>>> root certificates that are in the configured truststore? Is
>>>> it even possible what I am trying?
> What happens if you change clientAuth="false" to
> clientAuth="want"?
> 
> -chris
>> 
>> ---------------------------------------------------------------------
>>
>> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 
> 
> Hey Chris,
> 
> If I change it to want I still get the same error:
> 
> HTTP Status 401 - Cannot authenticate with the provided
> credentials

So just to be sure, the only difference between the application you
have that is working and the one that is not working is that you have
a different <url-pattern> in your web.xml?

Generally speaking, Tomcat will authenticate the client certificate
just using the configuration at the <Connector> level. Using
CLIENT-CERT in the application is used for application credentials --
such as establishing roles to be used with role-based permissions.

Do you intend to use role-based permissions and all that other stuff,
or do you just want to make sure that the client has a valid certificate?

If you just want to make sure that the certificate is valid, then you
want to use clientAuth="want" and remove the configuration you have
from web.xml. Next, you will need to write a Filter that grabs the
X509 certificate from the request and does manual checking.

You might be able to get some help from a series of posts I wrote a
few years ago about manually-handling X509 certificates:
http://markmail.org/message/kzxsamuiu6bldjmv

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJULYSZAAoJEBzwKT+lPKRYorwP/1GT+aPdAK5Vu2piCp+4ZDXQ
kGm42DzD0FBM8oKI2vgPj/hvOTEYC+e7EndxxUbhaSoek0O71hlEeWfnhrCt3lNs
xKHBhwXHeVwxOkSHsjZKfzHqoJgHhMBBVU5rQHQ1mwIT71bayNSYVuG/QRZFffoM
lef1YTql+jt+LOgfJauD/yozYG2fblEMMEcUWfBtpruEFVns6Vu2m5vwKwn7si2K
13SjiqoULIOf6FkiKXiCewXACq98KLbjo21m5SkUNDgFiE6wWquOX/uyQBBP8n+p
B2H6b6YlQAj1KOBtH+yd+0vnW6BwjI9ZxHDfT7t8Ii1zBwUDFj3QZOJ5RXFwteQR
cFjJXxmRliD/EuEfjZuHD5U9d51Eq44RU6p3/8cuIg90gx8fPYBULJimXRX6v4ca
EdTmqnJyxZeh2WoNAY2k+24OxwwxKSZUErxm0biBAy/wcqT1O1ePkaCI6YQx1Vkj
TnHxleVWvr2FpZDp1apmTcgzP0gBnD6fOG8ltf8Nqe/Ax4l6nhdK3Q19YLTt2Q2z
IKX7oUOYru0GNuICtsNYz0EprzdMxnv28v3SBYLSfHln9J5WWtfBeOlKxMPmP0Fg
ZJG/X/zUUC2IxDNe6u7ZdZr/vqxDLyZxc74ugiVIxveutzrXOHdxnPRIzbEXjYIC
umadSoe7yZwlcEAAQFG/
=bMuo
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org