tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Extended Validation Certificates Support JNDIRealm
Date Fri, 21 Apr 2017 17:42:30 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Lucas,

(Bringing this back onto the list; apologies for inadvertently
replying off-list)

On 4/21/17 12:25 PM, Lucas S. Silva wrote:
> Hi Christopher,
> 
> Thanks for the reply.
> 
> Yes, the goal is to check the user certificate against some 
> configurable OIDs.

If you want to check the user certificate for some OID other than the
usual subject DN, you want to use a custom username-retriever on your
realm:

http://tomcat.apache.org/tomcat-8.0-doc/config/realm.html

Search for "X509UsernameRetrieverClassName", then write a class that
implements that interface. You can return any String value you can
pull from the certificate. The OID is up to you. The authenticator
will use the username returned by that class's
getUsername(X509Certificate) method against whatever user data store
you have configured (e.g. DataSource/JNDI/etc.).

If you want to perform some other kind of authentication (like just
verifying that the user's certificate meets some kind of requirement,
like the validity period is less than 30 days or whatever), then you
only have a few options IMO:

1. Write your own authenticator (I'd recommend subclassing whichever
one you like already, and just add your own checks before/afetr
delegating authentication to the superclass).

2. Use a X509UsernameRetriever as above and throw an exception if the
certificate doesn't meet your requirements.

3. Write a Filter that takes the client's certificate from the request
attributes, checks it, and takes appropriate action (logout? throw an
exception? log an error?) if the cert doesn't meet your requirements.

Hope that helps.

- -chris

> On 21 April 2017 at 16:02, Christopher Schultz 
> <chris@christopherschultz.net 
> <mailto:chris@christopherschultz.net>> wrote:
> 
> Lucas,
> 
> On 4/21/17 2:55 AM, Lucas S. Silva wrote:
>> My end goal is to check the certificates OID I did some research 
>> and I found that in the RealmBase there is a method> 
>> authenticate(X509Certificate certs)
>> 
>> and int the X509Certificate there is
>> 
>> public abstract String getSigAlgOID()
>> 
>> https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/real
m/RealmBase.html#authenticate(java.security.cert.X509Certificate[])
>
>>
>> 
<https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/realm/
RealmBase.html#authenticate(java.security.cert.X509Certificate[])>
>> 
>> I suspect those should help me checking the certificate
>> Assurance Levels?
> 
> Are you trying to authenticate a user using a specific OID (which 
> one?) in the cert, or are you trying to determine if the 
> certificate is an EV certificate specifically?
> 
> -chris
> 
>> On 20 April 2017 at 19:50, Christopher Schultz 
>> <chris@christopherschultz.net 
>> <mailto:chris@christopherschultz.net>
>>> wrote:
>> 
>> Lucas,
>> 
>> On 4/20/17 1:12 PM, Lucas S. Silva wrote:
>>>>> I am trying to implement a custom JNDIRealm that will do 
>>>>> some validations based on the Extended Validation 
>>>>> Certificates like the OID it this supported by tomcat?
>> 
>> The term "Extended Validation" has a special meaning when you are
>> talking about X.509 certificates. What do you mean, here, 
>> specifically, when you say "Extended Validation Certificates"?
>> 
>>>>> Or I will just get whatever the LDAP server supports? I 
>>>>> could not find which method I would have to overwrite to 
>>>>> get the extended validation certificates:> 
>>>>> https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/r
ealm
>
>>>>>
>>>>> 
<https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/realm>
>> /JNDIRealm.html
>> 
>> What,
>>>>> 
>> specifically, are you trying to accomplish?
>> 
>> -chris
>>> 
>>> --------------------------------------------------------------------
- -
>
>>>
>>> 
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> <mailto:users-unsubscribe@tomcat.apache.org>
>>> For additional commands, e-mail: users-help@tomcat.apache.org
> <mailto:users-help@tomcat.apache.org>
>>> 
>>> 
>> 
> 
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJY+kSGAAoJEBzwKT+lPKRYKAoP/2UuBb5zeJoz0D1RU5Fsy9/G
VRB09r0V133csXQ2m3C4bVzUepEteZgMvor+aag9L0cZv5IoupMzpUAblp/J6gp8
vKqXNFTZH67KGCl1DgndIDrDkcKGRJIFksCWqk0p+ZR4+xPK/Rp2U++77QpaeVMG
38pHn5DKT4/uM5lIo4NrAunin5b5a4JmeU7jFDi1eucHvBhsoMx1HamZwWBbCHx1
ux4MssGKM1OkiW1ogqctkOronQLo5VhTunRKJKyKedbpfsYbDhAKaCBCQcnMEokF
VOPJ1OnN+bCos7pbeP7wQ+tO7SWgE7qsLjMVhEjZkz1W740d8i0QyZMu/3pGNEWq
mclkDi+P8nXnNQENaiE0ZfTACh2ifiOL5B/QVfTpUh+NSsk5uMQYi6o4yL7iD5Lk
1kQAYCqMGVQuDy0Vdl3+go6mN0TZiq+iYKFOKxx3dn8aWqhLOGISOaqrIrTjIGK7
BP8A1eTIL7wR8BKHXuj0fybzO+MX8y2S6fTWHVSwVSPohkgxLLNNE8FCx8Goh/Dk
zDrd1qCh0P23FF8VlcczlCQk0PVBvd/575k10OtOw2IFkJZL5OPgXq14nY8GU51O
fvvMVlgOY6glFT6Z70xcCDczDuh15KP1riNc0vLeJIeR/Ng5nOnhbUZLD1dKC0Bk
qVg+uPvtCkzaA73mkqDe
=THjK
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message