You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jo...@abvv.be on 2006/08/08 12:00:40 UTC
Client Certificate -- All Authenticated Users
All:
I am writing an Application which is using client-cert as an
authentication process. I successfully configured Tomcat to use SSL and
ask for the certificate and everything works. However I still have one
problem.
In order for the the security to work I have to add the DN of the
certificate to the tomcat-users.xml file. So you have something like
this:
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="CN=Alice SPECIMEN (Authentication), C=BE"
password="null" roles="tomcat,role1"/>
<user username="tomcat" password="xxxxx" roles="tomcat"/>
<user username="role1" password="xxxxx" roles="role1"/>
<user username="both" password="xxxx" roles="tomcat,role1"/>
<user username="SERIALNUMBER=xxxxxx, GIVENNAME=yyyyyy, SURNAME=zzzzzz,
CN=wwwwwww, C=dd" password="null" roles="tomcat,role1"/>
</tomcat-users>
The web.xml is configured in the following way to allow "all
authenticated" user to do stuff. (To my knwoledge the * means all
authenticated users, in my case users belonging to role1)
...
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<description>Authenticated Users</description>
<role-name>role1</role-name>
</security-role>
<security-constraint>
<display-name>constrained1</display-name>
<web-resource-collection>
<web-resource-name>jspPages</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>PUT</http-method>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint><transport-guarantee>INTEGRAL</transport-guarantee
></user-data-constraint>
</security-constraint>
</web-app>
If I do it like this, it works perfectly and the the
request.getUserPrincipal() has a value. However this means that I have
to add the DN of all certificates in use to the tomcat-users file. I my
case this is impossible. For me a user is "authenticated" if his client
certificate is accepted (meaning it was not revoked -this where ocsp
and clr's come in- ).
So here is the question:
Is there a way to configure tomcat in such a way that, when tomcat
accepts the client certificate, the user is automatically authenticated
(and belongs to a default group) and the request.getUserPrincipal() is
filled in with the relevant information from the certificate.
Thanks
Re: Client Certificate -- All Authenticated Users
Posted by Mark Thomas <ma...@apache.org>.
Joost.HELDENS@abvv.be wrote:
> The web.xml is configured in the following way to allow "all
> authenticated" user to do stuff. (To my knwoledge the * means all
> authenticated users, in my case users belonging to role1)
The "*" role does not mean all authenticated users. It means all users
with one or more roles that are defined in the this web.xml
> Is there a way to configure tomcat in such a way that, when tomcat
> accepts the client certificate, the user is automatically authenticated
> (and belongs to a default group) and the request.getUserPrincipal() is
> filled in with the relevant information from the certificate.
Sorry, no. Is setting clientAuth="true" (see
http://tomcat.apache.org/tomcat-5.5-doc/config/http.html) sufficient?
If not other options include:
- a custom realm
- a filter looking for javax.servlet.request.X509Certificate
HTH,
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org