You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ma...@telekom.de on 2013/02/20 13:01:55 UTC
Tomcat Client Authentication
Hello dear Tomcat Users and Developers,
I'm want my tomcat to use Client Authentication to check access of different users. I created all certs (HTTPS works) but if I connect with a Client and send my Client Cert I always get a 403 Error. I don't think it'S a problem of certificates but of the configuration of tomcat. This is the config for the Client-Auth in the web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>PartNos</web-resource-name>
<url-pattern>/TNR/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>secureconn</role-name>
</security-role>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>PartNoSecure</web-resource-name>
<url-pattern>/TNR/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>secureconn</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
And this is my tomcat-users.xml ("Maximilian Schmidt" is the CN of my client-certificate):
<role rolename="admin" />
<role rolename="secureconn"/>
<user username="Maximilian Schmidt" password="123456789" roles="secureconn, admin"/>
And finally the server.xml Connector:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true" keystoreFile="C:\Users\mschm223\Documents\My-PKI\keystore\keystore.jks"
keystorePass="123456" keyAlias="server_cert_req" clientAuth="true" sslProtocol="TLS" truststoreFile="C:\Users\mschm223\Documents\My-PKI\keystore\truststore.jks"
truststorePass="123456" />
I looked into the Logfiles but there are no errors. I am using Tomcat 6.0.36 and Windows 7. Thank you very much for your help
Sincerelly,
Maximilian Schmidt
RE: Tomcat Client Authentication
Posted by Ma...@telekom.de.
I solved my problem, I changed my web.xml to the following:
<security-constraint>
<web-resource-collection>
<web-resource-name>PartNos</web-resource-name>
<url-pattern>/TNR/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>secureconn</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>converter-api</role-name>
</security-role>
<security-role>
<role-name>secureconn</role-name>
</security-role>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>PartNoSecure</web-resource-name>
<url-pattern>/TNR/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>secureconn</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
Thank your all for your advice!
Best regards,
Maximilian Schmidt
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Client Authentication
Posted by Cédric Couralet <ce...@gmail.com>.
2013/2/20 <Ma...@telekom.de>:
> Hello Cedric,
>
>>And look at the first line which could be Owner or Subject (I only have a french version at the moment which says Propriétaire:)
>
> (I created another Client-Cert)
> I did it and it shows me: CN=User03, OU=Any, O=Company, L=City, ST=Something, C=DE
>
> So I wrote:
> <user username="CN=User03, OU=Any, O=Company, L=City, ST=Something, C=DE" password="" roles="secureconn, admin"/>
>
> But still I get a 403 Error when I try to connect. Maybe this is helpful: I used a pcks12 Certificate to install it into my Browser (within Private & Public Key).
>
> Does anyone have an idea, why this doesn't work?
>
A 403 error usually means the user does not have the right role for
this resource.
You can see what is going on by putting these line at the end of your
logging.properties file :
org.apache.catalina.realm.level=DEBUG
org.apache.catalina.authenticator.level=DEBUG
And check the log file.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
AW: Tomcat Client Authentication
Posted by Ma...@telekom.de.
Hello Cedric,
>And look at the first line which could be Owner or Subject (I only have a french version at the moment which says Propriétaire:)
(I created another Client-Cert)
I did it and it shows me: CN=User03, OU=Any, O=Company, L=City, ST=Something, C=DE
So I wrote:
<user username="CN=User03, OU=Any, O=Company, L=City, ST=Something, C=DE" password="" roles="secureconn, admin"/>
But still I get a 403 Error when I try to connect. Maybe this is helpful: I used a pcks12 Certificate to install it into my Browser (within Private & Public Key).
Does anyone have an idea, why this doesn't work?
Best regards,
Maximilian Schmidt
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Client Authentication
Posted by Cédric Couralet <ce...@gmail.com>.
2013/2/20 <Ma...@telekom.de>:
> Hello Mark,
>
> thank you for the quick answer! Could you explain, how I can change how to derive the user name from the cert? I don't have a DN in my certificate (Only E, CN, OU, O, L, S, C). This would be very great.
>
Hello,
The different E, CN,... are elements which compose the DN.
You can retrieve it with the keytool program:
keytool -printcert -file <path/to/certificatePem>
And look at the first line which could be Owner or Subject (I only
have a french version at the moment which says Propriétaire:)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
AW: Tomcat Client Authentication
Posted by Ma...@telekom.de.
Hello Mark,
thank you for the quick answer! Could you explain, how I can change how to derive the user name from the cert? I don't have a DN in my certificate (Only E, CN, OU, O, L, S, C). This would be very great.
Mit freundlichen Grüßen,
Maximilian Schmidt
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Client Authentication
Posted by Mark Thomas <ma...@apache.org>.
On 20/02/2013 12:01, Maximilian-Schmidt@telekom.de wrote:
> And this is my tomcat-users.xml ("Maximilian Schmidt" is the CN of my client-certificate):
>
> <role rolename="admin" />
> <role rolename="secureconn"/>
> <user username="Maximilian Schmidt" password="123456789" roles="secureconn, admin"/>
By default, you have to use the DN not the CN.
See X509UsernameRetrieverClassName
in
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#Common_Attributes
You can provide a custom implementation to change how the user name is
derived from the cert.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org