You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Manuel Llabata <ml...@hotmail.com> on 2009/03/09 16:42:09 UTC

Unable to have unprotected and protected resources by client-cert authentication

Hi everybody,
 
I am trying to configure Apache Tomcat in https mode with two types of resources:
1. Unprotected resources anryone can visit
2. Proteceted resources, where the client have to authenticate with a certificate (issued by a known Certification Authohrity).
 
The problem is that till now I have just been able to protect all the resources or none of them. 
The only way I found to have both protected and unprotected resources is using realm authentication [1]:

To specify a requirement that protected resources be received over a protected transport layer connection (SSL), specify a user data constraint in the application deployment descriptor. The following is an example of a web.xml application deployment descriptor that specifies that SSL be used:
<security-constraint>
    <web-resource-collection>
        <web-resource-name>view dept data</web-resource-name>
        <url-pattern>/hr/employee/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>DEPT_ADMIN</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

And defining in the tomcat-users.xml (or another resource if any other standard realm implementation is used) the users that play the DEPT_ADMIN role. 

The problem is I don't know previously the owner of the certificate to include it in the realm configuration. The application should allow the access to any user who present a valid certificate issued by a previously known CA.
I've found a reported bug from two months ago [2], but it's reported as closed now.

My configuration is:
Win XP SP3
Apache Tomcat 6.0
Java 1.5

I'll really appreciate if anyone can help me out.
Thanks in advance, Manuel
[1] http://java.sun.com/javaee/5/docs/tutorial/doc/bnbxw.html
[2] https://issues.apache.org/bugzilla/show_bug.cgi?id=46498