You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Арсений Зинченко <se...@gmail.com> on 2014/02/04 12:32:00 UTC
Using different SSL-connector settings for various Context
Hi.
Task is - have ability to use HTTP/HTTPS without clientAuth for ROOT, but
enable two-factor auth (clientAuth="true" and using trustedstore.jks) for
other Context.
Can somebody please any tips?
Re: Using different SSL-connector settings for various Context
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Арсений,
On 2/4/14, 6:32 AM, Арсений Зинченко wrote:
> Hi.
>
> Task is - have ability to use HTTP/HTTPS without clientAuth for
> ROOT, but enable two-factor auth (clientAuth="true" and using
> trustedstore.jks) for other Context.
>
> Can somebody please any tips?
You have two options:
1. Set clientAuth="want" in the <Connector> and then set
<auth-type>CLIENT-CERT</auth-type> in your application's web.xml (this
will force the user to provide a certificate to authenticate to the
web application when necessary, but not until they hit a protected
resource).
2. Use more than one <Connector> with different clientAuth settings,
and map the connectors separately to your web application. Note that
Tomcat can't do this directly for you. Instead, you'd have to put
another network component (such as httpd) in front of Tomcat, like this:
HTTPS:443 --> httpd --- 8443 ---> /webappA
|
+------- 8444 ---> /webappB
You don't have to use HTTPS between httpd and Tomcat; you can use AJP
which can send the client certificate over to Tomcat just fine.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJS8RKIAAoJEBzwKT+lPKRY3F8P/17JAoEVQNUaPkJBepQ/bsUy
XRb8EL28VdZdarA8k45Aehw018pYIl3mnfPhZCBH1SbCkmRI9vzw20IHWlslYtNo
tT+TgPeQRbUH/iLbScGQf+4GZ17peOooD6k2ksvTAZcYDu1Mqp92WEq7oDYNX6oQ
QDB35G3Vje+7AgRn5E8BYTNwTacncrzuZ0J5WEu5boG/tB7LM4iRXVd52KNh8DcX
6qabwmEAgv3MKsPPcLmU+Mnlzj3hDWbbKVha9Hft5vkJ1M8aPHqZh0HrfjTWlpgM
yQeZTmgsr7l+qTgCBJrr/96enEgJjrojBqflR7IMWtGbq9M2eUkQ37AFHUd5yUYV
Hqb53lvdR2H2YFcwb0b8MKhCSZoWXGrKSHiDLGWVFqJ2+3uLmiCQfi3S6IFwy2Cx
FAR4H1DBbsJRrSqe4Rx8dlpgScKJoSz28cCRfvnjhd2UqDuW3d+CEhR/o4dAZZIe
3ktt2pl4PP2lrusKTp4P+YhBufEyDI+Q8qeB8pVyGrbz0HzlvQybevBJbl21rlW9
n2nB9gAM8rQEe+M13qbJTxd/04QfWbq3UhACbjoz3pTPgwUjmjkc4i7bQJzP61MK
PtrOTcdAIcdyjfaQ0m6eWVz+LloVTFhxnVqXhm4I+y3F0+5UAHrkhsMRa1IYgaGO
hfRiTJV8byO37WAKF+j+
=HzpO
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using different SSL-connector settings for various Context
Posted by André Warnier <aw...@ice-sa.com>.
Арсений Зинченко wrote:
...
>
> I tried google it - but nothing... Can you please give liink to something
> about it?
>
I believe that this is all part of the Servlet Specification, which Tomcat only
implements. So the Tomcat docs will not repeat everything.
Look here for some pointers :
http://tomcat.apache.org/tomcat-7.0-doc/index.html
The "specifications" item points here :
http://wiki.apache.org/tomcat/Specifications#Java_Servlet_Specifications
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using different SSL-connector settings for various Context
Posted by Арсений Зинченко <se...@gmail.com>.
> Please don't top post here. Respond below the text to which you are
responding.
It's easier to read that way. See below.
Sorry - it's Google formatting if press "Answer".
> That should be solvable just by the <auth-requirements> of each Context.
I tried google it - but nothing... Can you please give liink to something
about it?
Plus some additional info.
Now - we use configuration via web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>*</web-resource-name>
<url-pattern>/sourcename/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>cert</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<role-name>cert</role-name>
</security-role>
And for ROOT - configuration described in server.xml:
<Context docBase="ROOT" path="">
<Valve className="org.apache.catalina.valves.SomeAuthValve"
FLDAPAppName="SOME"
FLDAPDebug="1"
FLDAPLogin="https://some" />
</Context>
So task is - create second context for <
url-pattern>/sourcename/*</url-pattern> with
<auth-method>CLIENT-CERT</auth-method> but in Context "terminology".
2014-02-04 André Warnier <aw...@ice-sa.com>:
> Hi.
>
> Please don't top post here. Respond below the text to which you are
> responding.
> It's easier to read that way. See below.
>
>
>
>> 2014-02-04 André Warnier <aw...@ice-sa.com>:
>>
>> Арсений Зинченко wrote:
>>>
>>> Hi.
>>>>
>>>> Task is - have ability to use HTTP/HTTPS without clientAuth for ROOT,
>>>> but
>>>> enable two-factor auth (clientAuth="true" and using trustedstore.jks)
>>>> for
>>>> other Context.
>>>>
>>>> Can somebody please any tips?
>>>>
>>>>
>>>> I don't know much about SSL, but isn't the answer right here ?
>>>
>>> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
>>>
>>> clientAuth
>>>
>>> Set to true if you want the SSL stack to require a valid certificate
>>> chain
>>> from the client before accepting a connection. Set to want if you want
>>> the
>>> SSL stack to request a client Certificate, but not fail if one isn't
>>> presented. A false value (which is the default) will not require a
>>> certificate chain unless the client requests a resource protected by a
>>> security constraint that uses CLIENT-CERT authentication.
>>>
>>> If I understand the above correctly, then setting clientAuth="false" in
>>> the Connector, and then requesting a CLIENT-CERT authentication only in
>>> your "other Context", should do the trick, no ?
>>>
>>>
>>>
> Арсений Зинченко wrote:
> > Yes, this is exactly what I'm want and I see this manual to.
> > But - how to specify different clientAuth= for different Context's ? I
> > found "SSL Authenticator
> > Valve<http://tomcat.apache.org/tomcat-7.0-doc/config/
> valve.html#SSL_Authenticator_Valve>"
>
> > - but there is nohting about how to do it... And I don't see any
> > possibility to make with any other Context
> > options<http://tomcat.apache.org/tomcat-7.0-doc/config/
> context.html#Context_Parameters>...
> >
> >
> Sorry, as I mentioned earlier, I do not know much about SSL and cannot
> help you with the details.
>
> One thing though : the setup of an SSL connection happens *before* Tomcat
> even knows to which application the browser wants to talk. Some properties
> of that connection may not be changeable anymore, at the level of a Context.
> You can just tell the Context to make use or not of some of these
> properties, not really change them.
>
> In your case though, it seems that you want the following :
> - clients connect via SSL
> - some Context's then (later) require clientAuth
> - and some other Context's (later) do not require clientAuth
> That should be solvable just by the <auth-requirements> of each Context.
>
> If you want some Context's to be accessible via HTTP/HTTPS, and others
> only via HTTPS, that also is a parameter that you can specify in each
> context's web.xml.
> (<transport-guarantee> or something like that)
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Using different SSL-connector settings for various Context
Posted by André Warnier <aw...@ice-sa.com>.
Hi.
Please don't top post here. Respond below the text to which you are responding.
It's easier to read that way. See below.
>
> 2014-02-04 André Warnier <aw...@ice-sa.com>:
>
>> Арсений Зинченко wrote:
>>
>>> Hi.
>>>
>>> Task is - have ability to use HTTP/HTTPS without clientAuth for ROOT, but
>>> enable two-factor auth (clientAuth="true" and using trustedstore.jks) for
>>> other Context.
>>>
>>> Can somebody please any tips?
>>>
>>>
>> I don't know much about SSL, but isn't the answer right here ?
>>
>> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
>>
>> clientAuth
>>
>> Set to true if you want the SSL stack to require a valid certificate chain
>> from the client before accepting a connection. Set to want if you want the
>> SSL stack to request a client Certificate, but not fail if one isn't
>> presented. A false value (which is the default) will not require a
>> certificate chain unless the client requests a resource protected by a
>> security constraint that uses CLIENT-CERT authentication.
>>
>> If I understand the above correctly, then setting clientAuth="false" in
>> the Connector, and then requesting a CLIENT-CERT authentication only in
>> your "other Context", should do the trick, no ?
>>
>>
Арсений Зинченко wrote:
> Yes, this is exactly what I'm want and I see this manual to.
> But - how to specify different clientAuth= for different Context's ? I
> found "SSL Authenticator
> Valve<http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#SSL_Authenticator_Valve>"
> - but there is nohting about how to do it... And I don't see any
> possibility to make with any other Context
> options<http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Context_Parameters>...
>
>
Sorry, as I mentioned earlier, I do not know much about SSL and cannot help you with the
details.
One thing though : the setup of an SSL connection happens *before* Tomcat even knows to
which application the browser wants to talk. Some properties of that connection may not
be changeable anymore, at the level of a Context.
You can just tell the Context to make use or not of some of these properties, not really
change them.
In your case though, it seems that you want the following :
- clients connect via SSL
- some Context's then (later) require clientAuth
- and some other Context's (later) do not require clientAuth
That should be solvable just by the <auth-requirements> of each Context.
If you want some Context's to be accessible via HTTP/HTTPS, and others only via HTTPS,
that also is a parameter that you can specify in each context's web.xml.
(<transport-guarantee> or something like that)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using different SSL-connector settings for various Context
Posted by Арсений Зинченко <se...@gmail.com>.
Yes, this is exactly what I'm want and I see this manual to.
But - how to specify different clientAuth= for different Context's ? I
found "SSL Authenticator
Valve<http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#SSL_Authenticator_Valve>"
- but there is nohting about how to do it... And I don't see any
possibility to make with any other Context
options<http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Context_Parameters>...
2014-02-04 André Warnier <aw...@ice-sa.com>:
> Арсений Зинченко wrote:
>
>> Hi.
>>
>> Task is - have ability to use HTTP/HTTPS without clientAuth for ROOT, but
>> enable two-factor auth (clientAuth="true" and using trustedstore.jks) for
>> other Context.
>>
>> Can somebody please any tips?
>>
>>
> I don't know much about SSL, but isn't the answer right here ?
>
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
>
> clientAuth
>
> Set to true if you want the SSL stack to require a valid certificate chain
> from the client before accepting a connection. Set to want if you want the
> SSL stack to request a client Certificate, but not fail if one isn't
> presented. A false value (which is the default) will not require a
> certificate chain unless the client requests a resource protected by a
> security constraint that uses CLIENT-CERT authentication.
>
> If I understand the above correctly, then setting clientAuth="false" in
> the Connector, and then requesting a CLIENT-CERT authentication only in
> your "other Context", should do the trick, no ?
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Using different SSL-connector settings for various Context
Posted by André Warnier <aw...@ice-sa.com>.
Арсений Зинченко wrote:
> Hi.
>
> Task is - have ability to use HTTP/HTTPS without clientAuth for ROOT, but
> enable two-factor auth (clientAuth="true" and using trustedstore.jks) for
> other Context.
>
> Can somebody please any tips?
>
I don't know much about SSL, but isn't the answer right here ?
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
clientAuth
Set to true if you want the SSL stack to require a valid certificate chain from the client
before accepting a connection. Set to want if you want the SSL stack to request a client
Certificate, but not fail if one isn't presented. A false value (which is the default)
will not require a certificate chain unless the client requests a resource protected by a
security constraint that uses CLIENT-CERT authentication.
If I understand the above correctly, then setting clientAuth="false" in the Connector, and
then requesting a CLIENT-CERT authentication only in your "other Context", should do the
trick, no ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org