You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Nathan Quirynen <na...@pensionarchitects.be> on 2014/10/01 16:02:45 UTC
Client authentication for specific path
Hi Tomcat users,
A current application has client authentication configured in the SSL
Connector (server.xml):
<Connector port="8443"
...
clientAuth="true"
keystoreFile=".keystore"
keystorePass="..."
truststoreFile=".truststore"
truststorePass="..."
/>
And the CA root certificates have been added to the truststore.
This way it asks for a client certificate in any case, which works and
is fine for this application.
For a new application the use case is a bit different. I only need
client authentication for a specific defined path (for example: /secured/*).
After some research I found this was possible with defining this on
application level in the web.xml file. So I changed my configuration to:
server.xml:
<Connector port="8443"
...
clientAuth="false"
keystoreFile=".keystore"
keystorePass="..."
truststoreFile=".truststore"
truststorePass="..."
/>
web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secureconn</web-resource-name>
<url-pattern>/secured/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>secureconn</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Secureconn</realm-name>
</login-config>
<security-role>
<role-name>secureconn</role-name>
</security-role>
In this case it actually only asks for client authentication when going
to for example "secured/home" page.
But I'm getting a 401 message code.
What am I missing to get people authenticated based on the CA root
certificates that are in the configured truststore? Is it even possible
what I am trying?
Greetings,
Nathan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Client authentication for specific path
Posted by Nathan Quirynen <na...@pensionarchitects.be>.
On 03/10/14 21:18, Cédric Couralet wrote:
> 2014-10-03 17:42 GMT+02:00 Nathan Quirynen <na...@pensionarchitects.be>:
>> On 02/10/14 19:00, Christopher Schultz wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Nathan,
>>
>> On 10/1/14 12:16 PM, Nathan Quirynen wrote:
>>
>> On 01/10/14 18:08, Christopher Schultz wrote: Nathan,
>>
>> On 10/1/14 10:02 AM, Nathan Quirynen wrote:
>>
>> Hi Tomcat users,
>>
>> A current application has client authentication configured in
>> the SSL Connector (server.xml):
>>
>> <Connector port="8443" ... clientAuth="true"
>> keystoreFile=".keystore" keystorePass="..."
>> truststoreFile=".truststore" truststorePass="..." />
>>
>> And the CA root certificates have been added to the
>> truststore.
>>
>> This way it asks for a client certificate in any case, which
>> works and is fine for this application. For a new application
>> the use case is a bit different. I only need client
>> authentication for a specific defined path (for example:
>> /secured/*). After some research I found this was possible
>> with defining this on application level in the web.xml file.
>> So I changed my configuration to:
>>
>> server.xml:
>>
>> <Connector port="8443" ... clientAuth="false"
>> keystoreFile=".keystore" keystorePass="..."
>> truststoreFile=".truststore" truststorePass="..." />
>>
>> web.xml:
>>
>> <security-constraint> <web-resource-collection>
>> <web-resource-name>Secureconn</web-resource-name>
>> <url-pattern>/secured/*</url-pattern>
>> <http-method>GET</http-method> </web-resource-collection>
>> <auth-constraint> <role-name>secureconn</role-name>
>> </auth-constraint> </security-constraint> <login-config>
>> <auth-method>CLIENT-CERT</auth-method>
>> <realm-name>Secureconn</realm-name> </login-config>
>> <security-role> <role-name>secureconn</role-name>
>> </security-role>
>>
>>
>> In this case it actually only asks for client authentication
>> when going to for example "secured/home" page. But I'm
>> getting a 401 message code.
>>
>> What am I missing to get people authenticated based on the CA
>> root certificates that are in the configured truststore? Is
>> it even possible what I am trying?
>>
>> What happens if you change clientAuth="false" to
>> clientAuth="want"?
>>
>> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> Hey Chris,
>>
>> If I change it to want I still get the same error:
>>
>> HTTP Status 401 - Cannot authenticate with the provided
>> credentials
>>
>> So just to be sure, the only difference between the application you
>> have that is working and the one that is not working is that you have
>> a different <url-pattern> in your web.xml?
>>
>> Generally speaking, Tomcat will authenticate the client certificate
>> just using the configuration at the <Connector> level. Using
>> CLIENT-CERT in the application is used for application credentials --
>> such as establishing roles to be used with role-based permissions.
>>
>> Do you intend to use role-based permissions and all that other stuff,
>> or do you just want to make sure that the client has a valid certificate?
>>
>> If you just want to make sure that the certificate is valid, then you
>> want to use clientAuth="want" and remove the configuration you have
>> from web.xml. Next, you will need to write a Filter that grabs the
>> X509 certificate from the request and does manual checking.
>>
>> You might be able to get some help from a series of posts I wrote a
>> few years ago about manually-handling X509 certificates:
>> http://markmail.org/message/kzxsamuiu6bldjmv
>>
>> Hope that helps,
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: GPGTools - http://gpgtools.org
>>
>> iQIcBAEBCAAGBQJULYSZAAoJEBzwKT+lPKRYorwP/1GT+aPdAK5Vu2piCp+4ZDXQ
>> kGm42DzD0FBM8oKI2vgPj/hvOTEYC+e7EndxxUbhaSoek0O71hlEeWfnhrCt3lNs
>> xKHBhwXHeVwxOkSHsjZKfzHqoJgHhMBBVU5rQHQ1mwIT71bayNSYVuG/QRZFffoM
>> lef1YTql+jt+LOgfJauD/yozYG2fblEMMEcUWfBtpruEFVns6Vu2m5vwKwn7si2K
>> 13SjiqoULIOf6FkiKXiCewXACq98KLbjo21m5SkUNDgFiE6wWquOX/uyQBBP8n+p
>> B2H6b6YlQAj1KOBtH+yd+0vnW6BwjI9ZxHDfT7t8Ii1zBwUDFj3QZOJ5RXFwteQR
>> cFjJXxmRliD/EuEfjZuHD5U9d51Eq44RU6p3/8cuIg90gx8fPYBULJimXRX6v4ca
>> EdTmqnJyxZeh2WoNAY2k+24OxwwxKSZUErxm0biBAy/wcqT1O1ePkaCI6YQx1Vkj
>> TnHxleVWvr2FpZDp1apmTcgzP0gBnD6fOG8ltf8Nqe/Ax4l6nhdK3Q19YLTt2Q2z
>> IKX7oUOYru0GNuICtsNYz0EprzdMxnv28v3SBYLSfHln9J5WWtfBeOlKxMPmP0Fg
>> ZJG/X/zUUC2IxDNe6u7ZdZr/vqxDLyZxc74ugiVIxveutzrXOHdxnPRIzbEXjYIC
>> umadSoe7yZwlcEAAQFG/
>> =bMuo
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> Yes that's what I want. But when I set clientAuth to "want" it asks for the client certificate on every path, which I don't want... I only want client authentication on the specified path.
>> I'm wondering if I can solve what I need with Tomcat alone. Maybe I should put Apache in front?
>
> One way you could do it would be to :
> - set clientAuth="false" in your connector
> - add the security-constraint as you did except for the security-role :
> <security-role>
> <role-name>*</role-name>
> </security-role>
> As said before, this will add the SSLAuthenticator which will ask for
> a certificate if not present (at the cost of one round trip), and
> validate that certificate on the realm for the context.
> Then you have to add a realm which does nothing else than return true
> with any certificate, by coding your own realm implementation,
> something like :
>
> public class MyRealm extends NullRealm{
>
> @Override
> protected Principal getPrincipal(X509Certificate certificate) {
>
> return new GenericPrincipal(certificate.getSubjectDN,null);
> }
>
> }
>
> Then, in your context.xml file (META-INF/context.xml or
> conf/Catalina/localhost/appname.xml), add that custom realm :
>
> <Context>
> <Realm className="my.package.MyRealm" validate="true" allRolesMode="authOnly"/>
> </Context>
>
> With this, the SSLAuthenticator should call your Realm and get a
> principal with the subjectDN as principal name and no roles.
> validate="true" will validate the client certificate.
> allRolesMode="authOnly" should tell tomcat to not verify any roles
> (this works with the * in security-role)
>
> This should do what you want, but there may be some security
> implication I did not see, or a much simpler way to get what you want.
>
> Good luck,
>
> --
>
> Cédric
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Hey, thanks for the explanation.
I have tried exactly what you explained in the email above. It seems to
work, except in Internet Explorer (8) I'm getting following error:
javax.net.ssl.SSLHandshakeException: Insecure renegotiation is not allowed
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.kickstartHandshake(SSLSocketImpl.java:1249)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1218)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1199)
at
org.apache.tomcat.util.net.jsse.JSSESupport.handShake(JSSESupport.java:180)
...
I'm not sure why I get this error and why only in IE8 (have only tested
on version 8, will test on newer versions when possible).
All I can find on that error is that I can fix it by setting
sun.security.ssl.allowUnsafeRenegotiation to true, but this is unsafe
(even the name says it), so doesn't seem like a solution.
Anyone that has an idea what could be causing this?
Thanks for all the help this far!
Re: Client authentication for specific path
Posted by Cédric Couralet <ce...@gmail.com>.
2014-10-03 17:42 GMT+02:00 Nathan Quirynen <na...@pensionarchitects.be>:
>
> On 02/10/14 19:00, Christopher Schultz wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Nathan,
>
> On 10/1/14 12:16 PM, Nathan Quirynen wrote:
>
> On 01/10/14 18:08, Christopher Schultz wrote: Nathan,
>
> On 10/1/14 10:02 AM, Nathan Quirynen wrote:
>
> Hi Tomcat users,
>
> A current application has client authentication configured in
> the SSL Connector (server.xml):
>
> <Connector port="8443" ... clientAuth="true"
> keystoreFile=".keystore" keystorePass="..."
> truststoreFile=".truststore" truststorePass="..." />
>
> And the CA root certificates have been added to the
> truststore.
>
> This way it asks for a client certificate in any case, which
> works and is fine for this application. For a new application
> the use case is a bit different. I only need client
> authentication for a specific defined path (for example:
> /secured/*). After some research I found this was possible
> with defining this on application level in the web.xml file.
> So I changed my configuration to:
>
> server.xml:
>
> <Connector port="8443" ... clientAuth="false"
> keystoreFile=".keystore" keystorePass="..."
> truststoreFile=".truststore" truststorePass="..." />
>
> web.xml:
>
> <security-constraint> <web-resource-collection>
> <web-resource-name>Secureconn</web-resource-name>
> <url-pattern>/secured/*</url-pattern>
> <http-method>GET</http-method> </web-resource-collection>
> <auth-constraint> <role-name>secureconn</role-name>
> </auth-constraint> </security-constraint> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> <realm-name>Secureconn</realm-name> </login-config>
> <security-role> <role-name>secureconn</role-name>
> </security-role>
>
>
> In this case it actually only asks for client authentication
> when going to for example "secured/home" page. But I'm
> getting a 401 message code.
>
> What am I missing to get people authenticated based on the CA
> root certificates that are in the configured truststore? Is
> it even possible what I am trying?
>
> What happens if you change clientAuth="false" to
> clientAuth="want"?
>
> -chris
>
> ---------------------------------------------------------------------
>
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> Hey Chris,
>
> If I change it to want I still get the same error:
>
> HTTP Status 401 - Cannot authenticate with the provided
> credentials
>
> So just to be sure, the only difference between the application you
> have that is working and the one that is not working is that you have
> a different <url-pattern> in your web.xml?
>
> Generally speaking, Tomcat will authenticate the client certificate
> just using the configuration at the <Connector> level. Using
> CLIENT-CERT in the application is used for application credentials --
> such as establishing roles to be used with role-based permissions.
>
> Do you intend to use role-based permissions and all that other stuff,
> or do you just want to make sure that the client has a valid certificate?
>
> If you just want to make sure that the certificate is valid, then you
> want to use clientAuth="want" and remove the configuration you have
> from web.xml. Next, you will need to write a Filter that grabs the
> X509 certificate from the request and does manual checking.
>
> You might be able to get some help from a series of posts I wrote a
> few years ago about manually-handling X509 certificates:
> http://markmail.org/message/kzxsamuiu6bldjmv
>
> Hope that helps,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJULYSZAAoJEBzwKT+lPKRYorwP/1GT+aPdAK5Vu2piCp+4ZDXQ
> kGm42DzD0FBM8oKI2vgPj/hvOTEYC+e7EndxxUbhaSoek0O71hlEeWfnhrCt3lNs
> xKHBhwXHeVwxOkSHsjZKfzHqoJgHhMBBVU5rQHQ1mwIT71bayNSYVuG/QRZFffoM
> lef1YTql+jt+LOgfJauD/yozYG2fblEMMEcUWfBtpruEFVns6Vu2m5vwKwn7si2K
> 13SjiqoULIOf6FkiKXiCewXACq98KLbjo21m5SkUNDgFiE6wWquOX/uyQBBP8n+p
> B2H6b6YlQAj1KOBtH+yd+0vnW6BwjI9ZxHDfT7t8Ii1zBwUDFj3QZOJ5RXFwteQR
> cFjJXxmRliD/EuEfjZuHD5U9d51Eq44RU6p3/8cuIg90gx8fPYBULJimXRX6v4ca
> EdTmqnJyxZeh2WoNAY2k+24OxwwxKSZUErxm0biBAy/wcqT1O1ePkaCI6YQx1Vkj
> TnHxleVWvr2FpZDp1apmTcgzP0gBnD6fOG8ltf8Nqe/Ax4l6nhdK3Q19YLTt2Q2z
> IKX7oUOYru0GNuICtsNYz0EprzdMxnv28v3SBYLSfHln9J5WWtfBeOlKxMPmP0Fg
> ZJG/X/zUUC2IxDNe6u7ZdZr/vqxDLyZxc74ugiVIxveutzrXOHdxnPRIzbEXjYIC
> umadSoe7yZwlcEAAQFG/
> =bMuo
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> Yes that's what I want. But when I set clientAuth to "want" it asks for the client certificate on every path, which I don't want... I only want client authentication on the specified path.
> I'm wondering if I can solve what I need with Tomcat alone. Maybe I should put Apache in front?
One way you could do it would be to :
- set clientAuth="false" in your connector
- add the security-constraint as you did except for the security-role :
<security-role>
<role-name>*</role-name>
</security-role>
As said before, this will add the SSLAuthenticator which will ask for
a certificate if not present (at the cost of one round trip), and
validate that certificate on the realm for the context.
Then you have to add a realm which does nothing else than return true
with any certificate, by coding your own realm implementation,
something like :
public class MyRealm extends NullRealm{
@Override
protected Principal getPrincipal(X509Certificate certificate) {
return new GenericPrincipal(certificate.getSubjectDN,null);
}
}
Then, in your context.xml file (META-INF/context.xml or
conf/Catalina/localhost/appname.xml), add that custom realm :
<Context>
<Realm className="my.package.MyRealm" validate="true" allRolesMode="authOnly"/>
</Context>
With this, the SSLAuthenticator should call your Realm and get a
principal with the subjectDN as principal name and no roles.
validate="true" will validate the client certificate.
allRolesMode="authOnly" should tell tomcat to not verify any roles
(this works with the * in security-role)
This should do what you want, but there may be some security
implication I did not see, or a much simpler way to get what you want.
Good luck,
--
Cédric
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Client authentication for specific path
Posted by Nathan Quirynen <na...@pensionarchitects.be>.
On 02/10/14 19:00, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Nathan,
>
> On 10/1/14 12:16 PM, Nathan Quirynen wrote:
>> On 01/10/14 18:08, Christopher Schultz wrote: Nathan,
>>
>> On 10/1/14 10:02 AM, Nathan Quirynen wrote:
>>>>> Hi Tomcat users,
>>>>>
>>>>> A current application has client authentication configured in
>>>>> the SSL Connector (server.xml):
>>>>>
>>>>> <Connector port="8443" ... clientAuth="true"
>>>>> keystoreFile=".keystore" keystorePass="..."
>>>>> truststoreFile=".truststore" truststorePass="..." />
>>>>>
>>>>> And the CA root certificates have been added to the
>>>>> truststore.
>>>>>
>>>>> This way it asks for a client certificate in any case, which
>>>>> works and is fine for this application. For a new application
>>>>> the use case is a bit different. I only need client
>>>>> authentication for a specific defined path (for example:
>>>>> /secured/*). After some research I found this was possible
>>>>> with defining this on application level in the web.xml file.
>>>>> So I changed my configuration to:
>>>>>
>>>>> server.xml:
>>>>>
>>>>> <Connector port="8443" ... clientAuth="false"
>>>>> keystoreFile=".keystore" keystorePass="..."
>>>>> truststoreFile=".truststore" truststorePass="..." />
>>>>>
>>>>> web.xml:
>>>>>
>>>>> <security-constraint> <web-resource-collection>
>>>>> <web-resource-name>Secureconn</web-resource-name>
>>>>> <url-pattern>/secured/*</url-pattern>
>>>>> <http-method>GET</http-method> </web-resource-collection>
>>>>> <auth-constraint> <role-name>secureconn</role-name>
>>>>> </auth-constraint> </security-constraint> <login-config>
>>>>> <auth-method>CLIENT-CERT</auth-method>
>>>>> <realm-name>Secureconn</realm-name> </login-config>
>>>>> <security-role> <role-name>secureconn</role-name>
>>>>> </security-role>
>>>>>
>>>>>
>>>>> In this case it actually only asks for client authentication
>>>>> when going to for example "secured/home" page. But I'm
>>>>> getting a 401 message code.
>>>>>
>>>>> What am I missing to get people authenticated based on the CA
>>>>> root certificates that are in the configured truststore? Is
>>>>> it even possible what I am trying?
>> What happens if you change clientAuth="false" to
>> clientAuth="want"?
>>
>> -chris
>>> ---------------------------------------------------------------------
>>>
>>>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>> Hey Chris,
>>
>> If I change it to want I still get the same error:
>>
>> HTTP Status 401 - Cannot authenticate with the provided
>> credentials
> So just to be sure, the only difference between the application you
> have that is working and the one that is not working is that you have
> a different <url-pattern> in your web.xml?
>
> Generally speaking, Tomcat will authenticate the client certificate
> just using the configuration at the <Connector> level. Using
> CLIENT-CERT in the application is used for application credentials --
> such as establishing roles to be used with role-based permissions.
>
> Do you intend to use role-based permissions and all that other stuff,
> or do you just want to make sure that the client has a valid certificate?
>
> If you just want to make sure that the certificate is valid, then you
> want to use clientAuth="want" and remove the configuration you have
> from web.xml. Next, you will need to write a Filter that grabs the
> X509 certificate from the request and does manual checking.
>
> You might be able to get some help from a series of posts I wrote a
> few years ago about manually-handling X509 certificates:
> http://markmail.org/message/kzxsamuiu6bldjmv
>
> Hope that helps,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJULYSZAAoJEBzwKT+lPKRYorwP/1GT+aPdAK5Vu2piCp+4ZDXQ
> kGm42DzD0FBM8oKI2vgPj/hvOTEYC+e7EndxxUbhaSoek0O71hlEeWfnhrCt3lNs
> xKHBhwXHeVwxOkSHsjZKfzHqoJgHhMBBVU5rQHQ1mwIT71bayNSYVuG/QRZFffoM
> lef1YTql+jt+LOgfJauD/yozYG2fblEMMEcUWfBtpruEFVns6Vu2m5vwKwn7si2K
> 13SjiqoULIOf6FkiKXiCewXACq98KLbjo21m5SkUNDgFiE6wWquOX/uyQBBP8n+p
> B2H6b6YlQAj1KOBtH+yd+0vnW6BwjI9ZxHDfT7t8Ii1zBwUDFj3QZOJ5RXFwteQR
> cFjJXxmRliD/EuEfjZuHD5U9d51Eq44RU6p3/8cuIg90gx8fPYBULJimXRX6v4ca
> EdTmqnJyxZeh2WoNAY2k+24OxwwxKSZUErxm0biBAy/wcqT1O1ePkaCI6YQx1Vkj
> TnHxleVWvr2FpZDp1apmTcgzP0gBnD6fOG8ltf8Nqe/Ax4l6nhdK3Q19YLTt2Q2z
> IKX7oUOYru0GNuICtsNYz0EprzdMxnv28v3SBYLSfHln9J5WWtfBeOlKxMPmP0Fg
> ZJG/X/zUUC2IxDNe6u7ZdZr/vqxDLyZxc74ugiVIxveutzrXOHdxnPRIzbEXjYIC
> umadSoe7yZwlcEAAQFG/
> =bMuo
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Yes that's what I want. But when I set clientAuth to "want" it asks for
the client certificate on every path, which I don't want... I only want
client authentication on the specified path.
I'm wondering if I can solve what I need with Tomcat alone. Maybe I
should put Apache in front?
Nathan
--
Een klare kijk op aanvullende pensioenen
*Nathan Quirynen*
03 340 04 60 | 0494 28 45 15
nathan@pensionarchitects.be <ma...@pensionarchitects.be>
Follow us on Web <http://www.pensionarchitects.be> | Twitter
<http://www.twitter.com/pen_arch> | LinkedIn
<http://www.linkedin.com/company/pension-architects> | RSS
<http://feeds.feedburner.com/pensionarchitects> | YouTube
<http://www.youtube.com/pensionarchitects>
Re: Client authentication for specific path
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Nathan,
On 10/1/14 12:16 PM, Nathan Quirynen wrote:
> On 01/10/14 18:08, Christopher Schultz wrote: Nathan,
>
> On 10/1/14 10:02 AM, Nathan Quirynen wrote:
>>>> Hi Tomcat users,
>>>>
>>>> A current application has client authentication configured in
>>>> the SSL Connector (server.xml):
>>>>
>>>> <Connector port="8443" ... clientAuth="true"
>>>> keystoreFile=".keystore" keystorePass="..."
>>>> truststoreFile=".truststore" truststorePass="..." />
>>>>
>>>> And the CA root certificates have been added to the
>>>> truststore.
>>>>
>>>> This way it asks for a client certificate in any case, which
>>>> works and is fine for this application. For a new application
>>>> the use case is a bit different. I only need client
>>>> authentication for a specific defined path (for example:
>>>> /secured/*). After some research I found this was possible
>>>> with defining this on application level in the web.xml file.
>>>> So I changed my configuration to:
>>>>
>>>> server.xml:
>>>>
>>>> <Connector port="8443" ... clientAuth="false"
>>>> keystoreFile=".keystore" keystorePass="..."
>>>> truststoreFile=".truststore" truststorePass="..." />
>>>>
>>>> web.xml:
>>>>
>>>> <security-constraint> <web-resource-collection>
>>>> <web-resource-name>Secureconn</web-resource-name>
>>>> <url-pattern>/secured/*</url-pattern>
>>>> <http-method>GET</http-method> </web-resource-collection>
>>>> <auth-constraint> <role-name>secureconn</role-name>
>>>> </auth-constraint> </security-constraint> <login-config>
>>>> <auth-method>CLIENT-CERT</auth-method>
>>>> <realm-name>Secureconn</realm-name> </login-config>
>>>> <security-role> <role-name>secureconn</role-name>
>>>> </security-role>
>>>>
>>>>
>>>> In this case it actually only asks for client authentication
>>>> when going to for example "secured/home" page. But I'm
>>>> getting a 401 message code.
>>>>
>>>> What am I missing to get people authenticated based on the CA
>>>> root certificates that are in the configured truststore? Is
>>>> it even possible what I am trying?
> What happens if you change clientAuth="false" to
> clientAuth="want"?
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
> Hey Chris,
>
> If I change it to want I still get the same error:
>
> HTTP Status 401 - Cannot authenticate with the provided
> credentials
So just to be sure, the only difference between the application you
have that is working and the one that is not working is that you have
a different <url-pattern> in your web.xml?
Generally speaking, Tomcat will authenticate the client certificate
just using the configuration at the <Connector> level. Using
CLIENT-CERT in the application is used for application credentials --
such as establishing roles to be used with role-based permissions.
Do you intend to use role-based permissions and all that other stuff,
or do you just want to make sure that the client has a valid certificate?
If you just want to make sure that the certificate is valid, then you
want to use clientAuth="want" and remove the configuration you have
from web.xml. Next, you will need to write a Filter that grabs the
X509 certificate from the request and does manual checking.
You might be able to get some help from a series of posts I wrote a
few years ago about manually-handling X509 certificates:
http://markmail.org/message/kzxsamuiu6bldjmv
Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJULYSZAAoJEBzwKT+lPKRYorwP/1GT+aPdAK5Vu2piCp+4ZDXQ
kGm42DzD0FBM8oKI2vgPj/hvOTEYC+e7EndxxUbhaSoek0O71hlEeWfnhrCt3lNs
xKHBhwXHeVwxOkSHsjZKfzHqoJgHhMBBVU5rQHQ1mwIT71bayNSYVuG/QRZFffoM
lef1YTql+jt+LOgfJauD/yozYG2fblEMMEcUWfBtpruEFVns6Vu2m5vwKwn7si2K
13SjiqoULIOf6FkiKXiCewXACq98KLbjo21m5SkUNDgFiE6wWquOX/uyQBBP8n+p
B2H6b6YlQAj1KOBtH+yd+0vnW6BwjI9ZxHDfT7t8Ii1zBwUDFj3QZOJ5RXFwteQR
cFjJXxmRliD/EuEfjZuHD5U9d51Eq44RU6p3/8cuIg90gx8fPYBULJimXRX6v4ca
EdTmqnJyxZeh2WoNAY2k+24OxwwxKSZUErxm0biBAy/wcqT1O1ePkaCI6YQx1Vkj
TnHxleVWvr2FpZDp1apmTcgzP0gBnD6fOG8ltf8Nqe/Ax4l6nhdK3Q19YLTt2Q2z
IKX7oUOYru0GNuICtsNYz0EprzdMxnv28v3SBYLSfHln9J5WWtfBeOlKxMPmP0Fg
ZJG/X/zUUC2IxDNe6u7ZdZr/vqxDLyZxc74ugiVIxveutzrXOHdxnPRIzbEXjYIC
umadSoe7yZwlcEAAQFG/
=bMuo
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Client authentication for specific path
Posted by Nathan Quirynen <na...@pensionarchitects.be>.
On 01/10/14 18:50, Cédric Couralet wrote:
> 2014-10-01 18:16 GMT+02:00 Nathan Quirynen <na...@pensionarchitects.be>:
>> On 01/10/14 18:08, Christopher Schultz wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> Nathan,
>>>
>>> On 10/1/14 10:02 AM, Nathan Quirynen wrote:
>>>> Hi Tomcat users,
>>>>
>>>> A current application has client authentication configured in the
>>>> SSL Connector (server.xml):
>>>>
>>>> <Connector port="8443" ... clientAuth="true"
>>>> keystoreFile=".keystore" keystorePass="..."
>>>> truststoreFile=".truststore" truststorePass="..." />
>>>>
>>>> And the CA root certificates have been added to the truststore.
>>>>
>>>> This way it asks for a client certificate in any case, which works
>>>> and is fine for this application. For a new application the use
>>>> case is a bit different. I only need client authentication for a
>>>> specific defined path (for example: /secured/*). After some
>>>> research I found this was possible with defining this on
>>>> application level in the web.xml file. So I changed my
>>>> configuration to:
>>>>
>>>> server.xml:
>>>>
>>>> <Connector port="8443" ... clientAuth="false"
>>>> keystoreFile=".keystore" keystorePass="..."
>>>> truststoreFile=".truststore" truststorePass="..." />
>>>>
>>>> web.xml:
>>>>
>>>> <security-constraint> <web-resource-collection>
>>>> <web-resource-name>Secureconn</web-resource-name>
>>>> <url-pattern>/secured/*</url-pattern>
>>>> <http-method>GET</http-method> </web-resource-collection>
>>>> <auth-constraint> <role-name>secureconn</role-name>
>>>> </auth-constraint> </security-constraint> <login-config>
>>>> <auth-method>CLIENT-CERT</auth-method>
>>>> <realm-name>Secureconn</realm-name> </login-config>
>>>> <security-role> <role-name>secureconn</role-name> </security-role>
>>>>
>>>>
>>>> In this case it actually only asks for client authentication when
>>>> going to for example "secured/home" page. But I'm getting a 401
>>>> message code.
>>>>
>>>> What am I missing to get people authenticated based on the CA root
>>>> certificates that are in the configured truststore? Is it even
>>>> possible what I am trying?
>>> What happens if you change clientAuth="false" to clientAuth="want"?
>>>
>> Hey Chris,
>>
>> If I change it to want I still get the same error:
>>
>> HTTP Status 401 - Cannot authenticate with the provided credentials
>>
>>
>>
>>
> This is because when you use the CLIENT-CERT auth-method, Tomcat add
> the SSLAuthenticator to the context (your app) which validate the cert
> on the realm.
>
> By default, that realm is the UserDatabaseRealm which stores
> credentials in tomcat-users.xml.
>
> So several choices for you, add all the certificates DN in that file
> with the right roles, or change the realm for something more suited to
> your need.
>
> Aside, you can also define which certificate attribute will be
> resolved to search for the principal, in
> X509UsernameRetrieverClassName
> (http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html)
>
> Cédric
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
With
"add all the certificates DN in that file
with the right roles"
you mean all the client certificates? Because that's not an option
(there's millions of client certificates).
I'm still not sure how I'm supposed to configure a realm to my needs.
When I search for tutorials all I get is people using tomcat-users.xml
and adding 1 client certificate...
Nathan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Client authentication for specific path
Posted by Cédric Couralet <ce...@gmail.com>.
2014-10-01 18:16 GMT+02:00 Nathan Quirynen <na...@pensionarchitects.be>:
> On 01/10/14 18:08, Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Nathan,
>>
>> On 10/1/14 10:02 AM, Nathan Quirynen wrote:
>>> Hi Tomcat users,
>>>
>>> A current application has client authentication configured in the
>>> SSL Connector (server.xml):
>>>
>>> <Connector port="8443" ... clientAuth="true"
>>> keystoreFile=".keystore" keystorePass="..."
>>> truststoreFile=".truststore" truststorePass="..." />
>>>
>>> And the CA root certificates have been added to the truststore.
>>>
>>> This way it asks for a client certificate in any case, which works
>>> and is fine for this application. For a new application the use
>>> case is a bit different. I only need client authentication for a
>>> specific defined path (for example: /secured/*). After some
>>> research I found this was possible with defining this on
>>> application level in the web.xml file. So I changed my
>>> configuration to:
>>>
>>> server.xml:
>>>
>>> <Connector port="8443" ... clientAuth="false"
>>> keystoreFile=".keystore" keystorePass="..."
>>> truststoreFile=".truststore" truststorePass="..." />
>>>
>>> web.xml:
>>>
>>> <security-constraint> <web-resource-collection>
>>> <web-resource-name>Secureconn</web-resource-name>
>>> <url-pattern>/secured/*</url-pattern>
>>> <http-method>GET</http-method> </web-resource-collection>
>>> <auth-constraint> <role-name>secureconn</role-name>
>>> </auth-constraint> </security-constraint> <login-config>
>>> <auth-method>CLIENT-CERT</auth-method>
>>> <realm-name>Secureconn</realm-name> </login-config>
>>> <security-role> <role-name>secureconn</role-name> </security-role>
>>>
>>>
>>> In this case it actually only asks for client authentication when
>>> going to for example "secured/home" page. But I'm getting a 401
>>> message code.
>>>
>>> What am I missing to get people authenticated based on the CA root
>>> certificates that are in the configured truststore? Is it even
>>> possible what I am trying?
>> What happens if you change clientAuth="false" to clientAuth="want"?
>>
>
> Hey Chris,
>
> If I change it to want I still get the same error:
>
> HTTP Status 401 - Cannot authenticate with the provided credentials
>
>
>
>
This is because when you use the CLIENT-CERT auth-method, Tomcat add
the SSLAuthenticator to the context (your app) which validate the cert
on the realm.
By default, that realm is the UserDatabaseRealm which stores
credentials in tomcat-users.xml.
So several choices for you, add all the certificates DN in that file
with the right roles, or change the realm for something more suited to
your need.
Aside, you can also define which certificate attribute will be
resolved to search for the principal, in
X509UsernameRetrieverClassName
(http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html)
Cédric
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Client authentication for specific path
Posted by Nathan Quirynen <na...@pensionarchitects.be>.
On 01/10/14 18:08, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Nathan,
>
> On 10/1/14 10:02 AM, Nathan Quirynen wrote:
>> Hi Tomcat users,
>>
>> A current application has client authentication configured in the
>> SSL Connector (server.xml):
>>
>> <Connector port="8443" ... clientAuth="true"
>> keystoreFile=".keystore" keystorePass="..."
>> truststoreFile=".truststore" truststorePass="..." />
>>
>> And the CA root certificates have been added to the truststore.
>>
>> This way it asks for a client certificate in any case, which works
>> and is fine for this application. For a new application the use
>> case is a bit different. I only need client authentication for a
>> specific defined path (for example: /secured/*). After some
>> research I found this was possible with defining this on
>> application level in the web.xml file. So I changed my
>> configuration to:
>>
>> server.xml:
>>
>> <Connector port="8443" ... clientAuth="false"
>> keystoreFile=".keystore" keystorePass="..."
>> truststoreFile=".truststore" truststorePass="..." />
>>
>> web.xml:
>>
>> <security-constraint> <web-resource-collection>
>> <web-resource-name>Secureconn</web-resource-name>
>> <url-pattern>/secured/*</url-pattern>
>> <http-method>GET</http-method> </web-resource-collection>
>> <auth-constraint> <role-name>secureconn</role-name>
>> </auth-constraint> </security-constraint> <login-config>
>> <auth-method>CLIENT-CERT</auth-method>
>> <realm-name>Secureconn</realm-name> </login-config>
>> <security-role> <role-name>secureconn</role-name> </security-role>
>>
>>
>> In this case it actually only asks for client authentication when
>> going to for example "secured/home" page. But I'm getting a 401
>> message code.
>>
>> What am I missing to get people authenticated based on the CA root
>> certificates that are in the configured truststore? Is it even
>> possible what I am trying?
> What happens if you change clientAuth="false" to clientAuth="want"?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJULCbgAAoJEBzwKT+lPKRYOBEQAKiq+0JvnpI4nAXDb7L0YzHR
> BjISQH6yWa8sURbDfxUMdNdOdbYDc0J3RLvakz4IKFQjKIoRnR6gC6OdTS27sfrt
> iMvi/NDb3wqGkl/aPfQa98zgvasKTzsj01yWLATwxfH66Sb3w1NKTnxs7BiQim2m
> f5EfxdPS5h7FZekhSQyh4KXTejJ6XYRRgmTKeP2V9ARlJBjpyeVkM/C1pUfgEhD+
> wvsSsBplF4g+Loo4saN4Ap1UcxGsjEnkW8lPpgo9Ax0J/jT3nmieK2ZryG6coDY9
> 6OhYxBz5CLcwrYPMQvlTb9rVMMzNt2g8bbSY0lI1HQGfJaOROIfASkpOqXM1p//c
> XXPj8OEFrpJMn1L8IN/GX7HJruCxyLU0oo3qFZNNjQp15zzK5eAJgtONJON+ke9G
> Lv17PbyHEW5NecnFDwvg4sJPy4RHzBLWgwmvYmqMknySjtEj58SB9M4U9Xyrlwoe
> XsaG9r1OaOlNb249+hRBCzbTZcsn3IP/dgKsWXmsbfvfdOuRsuGbPHXG9AXe7T9S
> J+GD23SPTPHFHzEdqEYQ0RxPhQomzt4jfvbrmvKxxVLe+oi2JqHMwpoNSOxHBBD9
> GDzX9PZimKv3Sh1bs8QzDCWAYLURxyrirjqcqyVqUEi0QYI+7rXk+TldR/bKNJ5H
> /6BMe3EQMH3NySBGeClG
> =eSSR
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Hey Chris,
If I change it to want I still get the same error:
HTTP Status 401 - Cannot authenticate with the provided credentials
Re: Client authentication for specific path
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Nathan,
On 10/1/14 10:02 AM, Nathan Quirynen wrote:
> Hi Tomcat users,
>
> A current application has client authentication configured in the
> SSL Connector (server.xml):
>
> <Connector port="8443" ... clientAuth="true"
> keystoreFile=".keystore" keystorePass="..."
> truststoreFile=".truststore" truststorePass="..." />
>
> And the CA root certificates have been added to the truststore.
>
> This way it asks for a client certificate in any case, which works
> and is fine for this application. For a new application the use
> case is a bit different. I only need client authentication for a
> specific defined path (for example: /secured/*). After some
> research I found this was possible with defining this on
> application level in the web.xml file. So I changed my
> configuration to:
>
> server.xml:
>
> <Connector port="8443" ... clientAuth="false"
> keystoreFile=".keystore" keystorePass="..."
> truststoreFile=".truststore" truststorePass="..." />
>
> web.xml:
>
> <security-constraint> <web-resource-collection>
> <web-resource-name>Secureconn</web-resource-name>
> <url-pattern>/secured/*</url-pattern>
> <http-method>GET</http-method> </web-resource-collection>
> <auth-constraint> <role-name>secureconn</role-name>
> </auth-constraint> </security-constraint> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> <realm-name>Secureconn</realm-name> </login-config>
> <security-role> <role-name>secureconn</role-name> </security-role>
>
>
> In this case it actually only asks for client authentication when
> going to for example "secured/home" page. But I'm getting a 401
> message code.
>
> What am I missing to get people authenticated based on the CA root
> certificates that are in the configured truststore? Is it even
> possible what I am trying?
What happens if you change clientAuth="false" to clientAuth="want"?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJULCbgAAoJEBzwKT+lPKRYOBEQAKiq+0JvnpI4nAXDb7L0YzHR
BjISQH6yWa8sURbDfxUMdNdOdbYDc0J3RLvakz4IKFQjKIoRnR6gC6OdTS27sfrt
iMvi/NDb3wqGkl/aPfQa98zgvasKTzsj01yWLATwxfH66Sb3w1NKTnxs7BiQim2m
f5EfxdPS5h7FZekhSQyh4KXTejJ6XYRRgmTKeP2V9ARlJBjpyeVkM/C1pUfgEhD+
wvsSsBplF4g+Loo4saN4Ap1UcxGsjEnkW8lPpgo9Ax0J/jT3nmieK2ZryG6coDY9
6OhYxBz5CLcwrYPMQvlTb9rVMMzNt2g8bbSY0lI1HQGfJaOROIfASkpOqXM1p//c
XXPj8OEFrpJMn1L8IN/GX7HJruCxyLU0oo3qFZNNjQp15zzK5eAJgtONJON+ke9G
Lv17PbyHEW5NecnFDwvg4sJPy4RHzBLWgwmvYmqMknySjtEj58SB9M4U9Xyrlwoe
XsaG9r1OaOlNb249+hRBCzbTZcsn3IP/dgKsWXmsbfvfdOuRsuGbPHXG9AXe7T9S
J+GD23SPTPHFHzEdqEYQ0RxPhQomzt4jfvbrmvKxxVLe+oi2JqHMwpoNSOxHBBD9
GDzX9PZimKv3Sh1bs8QzDCWAYLURxyrirjqcqyVqUEi0QYI+7rXk+TldR/bKNJ5H
/6BMe3EQMH3NySBGeClG
=eSSR
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org