You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mahesh S Kudva <ma...@robosoftin.com> on 2005/07/01 11:42:58 UTC
Certificate Authentication for individual apps
Hi All
How can I have different certificate authentication for different applications and skip certificate
authentication for some applications hosted on the same server.
Regards & Thanks
================
Mahesh S Kudva
-------------------------------------------------------
Robosoft Technologies - Partners in Product Development
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Certificate Authentication for individual apps
Posted by Mahesh S Kudva <ma...@robosoftin.com>.
Dear All
My developer give me a .war file which I place it as
jboss/server/default/deploy/test.war
Thus I have around 5 .war placed in the server. All the apps are
presently accessed using https://myorg.com:8080/test1/,
https://myorg.com:8080/test2/ ... and so on.
Next I want to implement client auth for certain apps.
How do i go about it.??
Regards & Thanks
================
Mahesh S Kudva
-----Original Message-----
From: "Bill Barker" <wb...@wilshire.com>
To: tomcat-user@jakarta.apache.org
Date: Fri, 1 Jul 2005 21:56:37 -0700
Subject: Re: Certificate Authentication for individual apps
>
> "Mahesh S Kudva" <ma...@robosoftin.com> wrote in message
> news:WorldClient-F200507020928.AA28031909@robosoftin.com...
> > Hi All
> >
> > Thanks for the note. May be I was not clear in my earlier mail.
> >
> >
> > I have client authentication using certificates. I want to skip
> client
> > auth for certain hosted applications on the server but preserve
> client
> > auth for other apps.
> >
>
> On the Connector leave the 'clientAuth' attribute as 'false' (or use
> 'want', if you really want to be annoying :). Then in the webapps that
> care
> setup your web.xml files with something like:
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> </login-config>
>
> In this case, any page protected by a <security-constraint> will force
> the
> user to send a client-cert. Unfortunately, most of the
> production-quality
> Realms that ship with Tomcat don't support CLIENT-CERT auth.
>
> For 4.1.x <= tcversion <= 5.0.x, there is also a request attribute that
> you
> can use to do the same thing. If you need it, search the archives.
>
> > Regards & Thanks
> > ================
> > Mahesh S Kudva
> >
> >
> > -----Original Message-----
> > From: Paul Singleton <pa...@jbgb.com>
> > To: Tomcat Users List <to...@jakarta.apache.org>
> > Date: Fri, 01 Jul 2005 15:32:12 +0100
> > Subject: Re: Certificate Authentication for individual apps
> >
> >> Mahesh S Kudva wrote:
> >>
> >> > How can I have different certificate authentication for different
> >> applications and skip certificate
> >> > authentication for some applications hosted on the same server.
> >>
> >> I believe that, at least under SSL, certificates authenticate
> >> *servers* not applications, and that the Connector offers a
> >> certificate before it checks, or regardless of, the context
> >> path within that server.
> >>
> >> So you need to deploy each app at a different (virtual) host,
> >> each with a different IP address. We do this currently with
> >> 5.5.9. You can use the default keystore for all hosts, and
> >> use the (undocumented) keyAlias="myalias" Connector attribute
> >> to offer the appropriate certificate for each host, e.g.
> >>
> >> <Connector
> >> address="288.104.197.211"
> >> port="8443"
> >> scheme="https"
> >> secure="true"
> >> sslProtocol="TLS"
> >> keyAlias="mrk2"
> >> />
> >>
> >> (in 5.5.9 you also need sslProtocol="TLS" explicitly)
> >>
> >> Paul Singleton
> >>
> >>
> >> --
> >> No virus found in this outgoing message.
> >> Checked by AVG Anti-Virus.
> >> Version: 7.0.323 / Virus Database: 267.8.8/35 - Release Date:
> >> 30/Jun/2005
> >>
> >>
> >>
> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >
> > -------------------------------------------------------
> > Robosoft Technologies - Partners in Product Development
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
-------------------------------------------------------
Robosoft Technologies - Partners in Product Development
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Certificate Authentication for individual apps
Posted by Bill Barker <wb...@wilshire.com>.
"Mahesh S Kudva" <ma...@robosoftin.com> wrote in message
news:WorldClient-F200507020928.AA28031909@robosoftin.com...
> Hi All
>
> Thanks for the note. May be I was not clear in my earlier mail.
>
>
> I have client authentication using certificates. I want to skip client
> auth for certain hosted applications on the server but preserve client
> auth for other apps.
>
On the Connector leave the 'clientAuth' attribute as 'false' (or use
'want', if you really want to be annoying :). Then in the webapps that care
setup your web.xml files with something like:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
In this case, any page protected by a <security-constraint> will force the
user to send a client-cert. Unfortunately, most of the production-quality
Realms that ship with Tomcat don't support CLIENT-CERT auth.
For 4.1.x <= tcversion <= 5.0.x, there is also a request attribute that you
can use to do the same thing. If you need it, search the archives.
> Regards & Thanks
> ================
> Mahesh S Kudva
>
>
> -----Original Message-----
> From: Paul Singleton <pa...@jbgb.com>
> To: Tomcat Users List <to...@jakarta.apache.org>
> Date: Fri, 01 Jul 2005 15:32:12 +0100
> Subject: Re: Certificate Authentication for individual apps
>
>> Mahesh S Kudva wrote:
>>
>> > How can I have different certificate authentication for different
>> applications and skip certificate
>> > authentication for some applications hosted on the same server.
>>
>> I believe that, at least under SSL, certificates authenticate
>> *servers* not applications, and that the Connector offers a
>> certificate before it checks, or regardless of, the context
>> path within that server.
>>
>> So you need to deploy each app at a different (virtual) host,
>> each with a different IP address. We do this currently with
>> 5.5.9. You can use the default keystore for all hosts, and
>> use the (undocumented) keyAlias="myalias" Connector attribute
>> to offer the appropriate certificate for each host, e.g.
>>
>> <Connector
>> address="288.104.197.211"
>> port="8443"
>> scheme="https"
>> secure="true"
>> sslProtocol="TLS"
>> keyAlias="mrk2"
>> />
>>
>> (in 5.5.9 you also need sslProtocol="TLS" explicitly)
>>
>> Paul Singleton
>>
>>
>> --
>> No virus found in this outgoing message.
>> Checked by AVG Anti-Virus.
>> Version: 7.0.323 / Virus Database: 267.8.8/35 - Release Date:
>> 30/Jun/2005
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
> -------------------------------------------------------
> Robosoft Technologies - Partners in Product Development
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Certificate Authentication for individual apps
Posted by Mahesh S Kudva <ma...@robosoftin.com>.
Hi All
Thanks for the note. May be I was not clear in my earlier mail.
I have client authentication using certificates. I want to skip client
auth for certain hosted applications on the server but preserve client
auth for other apps.
Regards & Thanks
================
Mahesh S Kudva
-----Original Message-----
From: Paul Singleton <pa...@jbgb.com>
To: Tomcat Users List <to...@jakarta.apache.org>
Date: Fri, 01 Jul 2005 15:32:12 +0100
Subject: Re: Certificate Authentication for individual apps
> Mahesh S Kudva wrote:
>
> > How can I have different certificate authentication for different
> applications and skip certificate
> > authentication for some applications hosted on the same server.
>
> I believe that, at least under SSL, certificates authenticate
> *servers* not applications, and that the Connector offers a
> certificate before it checks, or regardless of, the context
> path within that server.
>
> So you need to deploy each app at a different (virtual) host,
> each with a different IP address. We do this currently with
> 5.5.9. You can use the default keystore for all hosts, and
> use the (undocumented) keyAlias="myalias" Connector attribute
> to offer the appropriate certificate for each host, e.g.
>
> <Connector
> address="288.104.197.211"
> port="8443"
> scheme="https"
> secure="true"
> sslProtocol="TLS"
> keyAlias="mrk2"
> />
>
> (in 5.5.9 you also need sslProtocol="TLS" explicitly)
>
> Paul Singleton
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.323 / Virus Database: 267.8.8/35 - Release Date:
> 30/Jun/2005
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
-------------------------------------------------------
Robosoft Technologies - Partners in Product Development
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Certificate Authentication for individual apps
Posted by Paul Singleton <pa...@jbgb.com>.
Mahesh S Kudva wrote:
> How can I have different certificate authentication for different applications and skip certificate
> authentication for some applications hosted on the same server.
I believe that, at least under SSL, certificates authenticate
*servers* not applications, and that the Connector offers a
certificate before it checks, or regardless of, the context
path within that server.
So you need to deploy each app at a different (virtual) host,
each with a different IP address. We do this currently with
5.5.9. You can use the default keystore for all hosts, and
use the (undocumented) keyAlias="myalias" Connector attribute
to offer the appropriate certificate for each host, e.g.
<Connector
address="288.104.197.211"
port="8443"
scheme="https"
secure="true"
sslProtocol="TLS"
keyAlias="mrk2"
/>
(in 5.5.9 you also need sslProtocol="TLS" explicitly)
Paul Singleton
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.8.8/35 - Release Date: 30/Jun/2005
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org