You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Jung, Alexander (AGIS)" <al...@ALLIANZ.DE> on 2007/03/06 14:29:15 UTC
How to request a client Certificate Authentication ?
Hello,
I try to implement a custom client certificate authentication, that does
some complicated LDAP-lookups in the background and gives an authenticated
value with request.getRemoteUser() back to the applications.
Peeking through the jcifs source, I chose to implement a filter. This
works,but I'd like to limit the areas where the tomcat-SSL Connector asks
for a SSL-Clientauthentication.
I configured the connector with clientAuth="false" and tried to force SSL
client authentication within the applications web.xml with:
<security-constraint>
<web-resource-collection>
<web-resource-name>Zugriffsschutz</web-resource-name>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
But this does not make the connector ask for a client certificate. How do I
make the connector ask for it? (clientAuth="true" in the connectors
configuration works, but limits the access of all pages to users that have
client certs).
I'm using tomcat 5.5.20.
Regards,
Alexander Jung
AW: How to request a client Certificate Authentication ?
Posted by "Jung, Alexander (AGIS)" <al...@allianz.de>.
Hello,
I just found it searching the list.
clientAuth="want"
Does what I need: It permits Users without clientcerts, but asks for them in
case they have some...
This together with my filter, that checks for the certs brings the desired
effect.
Mit freundlichen Grüßen,
Alexander Jung
> -----Ursprüngliche Nachricht-----
> Von: Jung, Alexander (AGIS)
> Gesendet: Dienstag, 6. März 2007 14:39
> An: Tomcat Users List
> Betreff: AW: How to request a client Certificate Authentication ?
>
> Hi,
>
> I'm not trying to see the SSL stuff itself, but make the
> connector ask for a
> client certificate.
> This works with the security-constraint config mentioned below, if I
> reference a role from the user-realm. As I do not have the
> users defined in
> some realm, i try to find a was to make the connector switch
> to requesting a
> client certificate without referencing a realm.
>
> The only alternative would be to dump the filter and
> implement a realm?
>
> Mit freundlichen Grüßen,
> Alexander Jung
>
>
> > -----Ursprüngliche Nachricht-----
> > Von: Dima Retov [mailto:dima@axisway.com]
> > Gesendet: Dienstag, 6. März 2007 14:33
> > An: Tomcat Users List
> > Betreff: Re: How to request a client Certificate Authentication ?
> >
> > Hi,
> >
> > SSL stuff happens before any actual HTTP data is sent.
> > It not possible to see request's URL at this stage.
> >
> > Dima
> >
> > Tuesday, March 6, 2007, 3:29:15 PM, you wrote:
> >
> > JAA> Hello,
> >
> > JAA> I try to implement a custom client certificate
> > authentication, that does
> > JAA> some complicated LDAP-lookups in the background and
> > gives an authenticated
> > JAA> value with request.getRemoteUser() back to the applications.
> >
> > JAA> Peeking through the jcifs source, I chose to implement a
> > filter. This
> > JAA> works,but I'd like to limit the areas where the
> > tomcat-SSL Connector asks
> > JAA> for a SSL-Clientauthentication.
> >
> > JAA> I configured the connector with clientAuth="false" and
> > tried to force SSL
> > JAA> client authentication within the applications web.xml with:
> >
> > JAA> <security-constraint>
> > JAA> <web-resource-collection>
> >
> > JAA> <web-resource-name>Zugriffsschutz</web-resource-name>
> > JAA> <url-pattern>/secure/*</url-pattern>
> > JAA> </web-resource-collection>
> > JAA> <user-data-constraint>
> > JAA>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > JAA> </user-data-constraint>
> > JAA> </security-constraint>
> >
> > JAA> <login-config>
> > JAA> <auth-method>CLIENT-CERT</auth-method>
> > JAA> </login-config>
> >
> > JAA> But this does not make the connector ask for a client
> > certificate. How do I
> > JAA> make the connector ask for it? (clientAuth="true" in the
> > connectors
> > JAA> configuration works, but limits the access of all pages
> > to users that have
> > JAA> client certs).
> >
> > JAA> I'm using tomcat 5.5.20.
> >
> > JAA> Regards,
> > JAA> Alexander Jung
> >
> >
> >
> > --
> > Best regards,
> > Dima mailto:dima@axisway.com
> >
> >
> >
> >
> ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
AW: How to request a client Certificate Authentication ?
Posted by "Jung, Alexander (AGIS)" <al...@allianz.de>.
Hi,
I'm not trying to see the SSL stuff itself, but make the connector ask for a
client certificate.
This works with the security-constraint config mentioned below, if I
reference a role from the user-realm. As I do not have the users defined in
some realm, i try to find a was to make the connector switch to requesting a
client certificate without referencing a realm.
The only alternative would be to dump the filter and implement a realm?
Mit freundlichen Grüßen,
Alexander Jung
> -----Ursprüngliche Nachricht-----
> Von: Dima Retov [mailto:dima@axisway.com]
> Gesendet: Dienstag, 6. März 2007 14:33
> An: Tomcat Users List
> Betreff: Re: How to request a client Certificate Authentication ?
>
> Hi,
>
> SSL stuff happens before any actual HTTP data is sent.
> It not possible to see request's URL at this stage.
>
> Dima
>
> Tuesday, March 6, 2007, 3:29:15 PM, you wrote:
>
> JAA> Hello,
>
> JAA> I try to implement a custom client certificate
> authentication, that does
> JAA> some complicated LDAP-lookups in the background and
> gives an authenticated
> JAA> value with request.getRemoteUser() back to the applications.
>
> JAA> Peeking through the jcifs source, I chose to implement a
> filter. This
> JAA> works,but I'd like to limit the areas where the
> tomcat-SSL Connector asks
> JAA> for a SSL-Clientauthentication.
>
> JAA> I configured the connector with clientAuth="false" and
> tried to force SSL
> JAA> client authentication within the applications web.xml with:
>
> JAA> <security-constraint>
> JAA> <web-resource-collection>
>
> JAA> <web-resource-name>Zugriffsschutz</web-resource-name>
> JAA> <url-pattern>/secure/*</url-pattern>
> JAA> </web-resource-collection>
> JAA> <user-data-constraint>
> JAA> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> JAA> </user-data-constraint>
> JAA> </security-constraint>
>
> JAA> <login-config>
> JAA> <auth-method>CLIENT-CERT</auth-method>
> JAA> </login-config>
>
> JAA> But this does not make the connector ask for a client
> certificate. How do I
> JAA> make the connector ask for it? (clientAuth="true" in the
> connectors
> JAA> configuration works, but limits the access of all pages
> to users that have
> JAA> client certs).
>
> JAA> I'm using tomcat 5.5.20.
>
> JAA> Regards,
> JAA> Alexander Jung
>
>
>
> --
> Best regards,
> Dima mailto:dima@axisway.com
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: How to request a client Certificate Authentication ?
Posted by Dima Retov <di...@axisway.com>.
Hi,
SSL stuff happens before any actual HTTP data is sent.
It not possible to see request's URL at this stage.
Dima
Tuesday, March 6, 2007, 3:29:15 PM, you wrote:
JAA> Hello,
JAA> I try to implement a custom client certificate authentication, that does
JAA> some complicated LDAP-lookups in the background and gives an authenticated
JAA> value with request.getRemoteUser() back to the applications.
JAA> Peeking through the jcifs source, I chose to implement a filter. This
JAA> works,but I'd like to limit the areas where the tomcat-SSL Connector asks
JAA> for a SSL-Clientauthentication.
JAA> I configured the connector with clientAuth="false" and tried to force SSL
JAA> client authentication within the applications web.xml with:
JAA> <security-constraint>
JAA> <web-resource-collection>
JAA> <web-resource-name>Zugriffsschutz</web-resource-name>
JAA> <url-pattern>/secure/*</url-pattern>
JAA> </web-resource-collection>
JAA> <user-data-constraint>
JAA> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
JAA> </user-data-constraint>
JAA> </security-constraint>
JAA> <login-config>
JAA> <auth-method>CLIENT-CERT</auth-method>
JAA> </login-config>
JAA> But this does not make the connector ask for a client certificate. How do I
JAA> make the connector ask for it? (clientAuth="true" in the connectors
JAA> configuration works, but limits the access of all pages to users that have
JAA> client certs).
JAA> I'm using tomcat 5.5.20.
JAA> Regards,
JAA> Alexander Jung
--
Best regards,
Dima mailto:dima@axisway.com
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org