You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Sanjeev Sharma <sa...@buchanan-edwards.com> on 2012/02/09 17:17:38 UTC

controlling Server Authentication only vs Mutual authentication

Hi,

I work on an java web-app running on Tomcat 7.  The entire application is required be doing SSL on port 443 (everything is accessed via https://).  Two different login options are given to the user : username/password or client certificate authentication.  We employ application-managed security as opposed to contain-manage (i.e. we don't use realms).  I have the following connector in my server.xml :

<Connector port="443"
           protocol="HTTP/1.1"
           SSLEnabled="true"
           maxThreads="150"
           scheme="https"
           secure="true"
           keystoreFile="d:\certs\server_cert.jks"
           keystorePass="changeit"
           truststoreFile="d:\certs\truststore.jks"
           truststorePass="changeit"
           clientAuth="true"
           sslProtocol="TLS" />


This forces mutual authentication on anything I try to access using https.  How can I configure tomcat so that only specific links (a specific struts action for example) would require mutual authentication or how can I exclude from the mutual authentication.

Thanks,
Sanjeev.

RE: controlling Server Authentication only vs Mutual authentication

Posted by Sanjeev Sharma <sa...@buchanan-edwards.com>.

That's what I thought.  Thanks anyway.  This is good information!

-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net] 
Sent: Tuesday, February 14, 2012 11:50 AM
To: Tomcat Users List
Subject: Re: controlling Server Authentication only vs Mutual authentication

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sanjeev,

On 2/13/12 11:01 PM, Sanjeev Sharma wrote:
> Thanks for your reply.  If I set clientAuth="want" will it not ask 
> me for a certificate every time I create a new session?

It will not ask for a certificate, but if you provide one, then it will
be used.

> And if I'm forwarding (or redirecting) from a page that only
> requires straight SSL with server authentication to one which
> requires mutual authentication, will it force the browser to prompt
> for a client certificate?

This won't work with forwarding, because that's all done after the
Connector has performed the SSL negotiation: if you want to change the
SSL rules, you'll have to perform a redirect to a location that
requires SSL. Or, I suppose, you could sniff the certificate at some
point and perform a redirect if you needed the certificate.

Cert negotiation is done at the SSL level (before your code even knows
there is a request) and I don't believe the webapp itself can tell
Tomcat how to respond because it's too late.

If you redirect to a place that requires a client certificate, then
the certificate will be requested. I'm fairly sure that means you'll
have to use a different port number or IP address, since you can't
have two different settings for "clientAuth" on a single connector:
you'll need two (or more).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk86kLsACgkQ9CaO5/Lv0PBprgCgurJCNmUu4PnunjGRCQCP7b0C
PD4An2hUad5YMctmWAR+h6vpGjxpTeql
=rzrP
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: controlling Server Authentication only vs Mutual authentication

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sanjeev,

On 2/13/12 11:01 PM, Sanjeev Sharma wrote:
> Thanks for your reply.  If I set clientAuth="want" will it not ask 
> me for a certificate every time I create a new session?

It will not ask for a certificate, but if you provide one, then it will
be used.

> And if I'm forwarding (or redirecting) from a page that only
> requires straight SSL with server authentication to one which
> requires mutual authentication, will it force the browser to prompt
> for a client certificate?

This won't work with forwarding, because that's all done after the
Connector has performed the SSL negotiation: if you want to change the
SSL rules, you'll have to perform a redirect to a location that
requires SSL. Or, I suppose, you could sniff the certificate at some
point and perform a redirect if you needed the certificate.

Cert negotiation is done at the SSL level (before your code even knows
there is a request) and I don't believe the webapp itself can tell
Tomcat how to respond because it's too late.

If you redirect to a place that requires a client certificate, then
the certificate will be requested. I'm fairly sure that means you'll
have to use a different port number or IP address, since you can't
have two different settings for "clientAuth" on a single connector:
you'll need two (or more).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk86kLsACgkQ9CaO5/Lv0PBprgCgurJCNmUu4PnunjGRCQCP7b0C
PD4An2hUad5YMctmWAR+h6vpGjxpTeql
=rzrP
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: controlling Server Authentication only vs Mutual authentication

Posted by Sanjeev Sharma <sa...@buchanan-edwards.com>.

Christopher/Pid,

Thanks for your reply.  If I set clientAuth="want" will it not ask me for a certificate every time I create a new session?  And if I'm forwarding (or redirecting) from a page that only requires straight SSL with server authentication to one which requires mutual authentication, will it force the browser to prompt for a client certificate?

Sanjeev.

-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net] 
Sent: Monday, February 13, 2012 4:23 PM
To: Tomcat Users List
Subject: Re: controlling Server Authentication only vs Mutual authentication

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pid,

On 2/13/12 3:39 PM, Pid wrote:
> On 13/02/2012 17:42, Christopher Schultz wrote:
>> Sanjeev,
>> 
>> On 2/9/12 11:17 AM, Sanjeev Sharma wrote:
>>> I work on an java web-app running on Tomcat 7. The entire 
>>> application is required be doing SSL on port 443 (everything is
>>>  accessed via https://). Two different login options are given
>>> to the user : username/password or client certificate
>>> authentication. We employ application-managed security as
>>> opposed to contain-manage (i.e. we don't use realms). I have
>>> the following connector in my server.xml:
>> 
>>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" 
>>> maxThreads="150" scheme="https" secure="true" 
>>> keystoreFile="d:\certs\server_cert.jks" keystorePass="changeit"
>>>  truststoreFile="d:\certs\truststore.jks"
>>> truststorePass="changeit" clientAuth="true" sslProtocol="TLS"
>>> />
>> 
>> 
>>> This forces mutual authentication on anything I try to access 
>>> using https. How can I configure tomcat so that only specific
>>> links (a specific struts action for example) would require
>>> mutual authentication or how can I exclude from the mutual 
>>> authentication.
>> 
>> I think what you want is clientAuth="want" and then you can
>> maybe write a Filter that requires certain SSL certificate
>> features in order to pass-through. Then, just map your Filter to
>> those areas that require (additional?) SSL authentication.
> 
> Is this a variation on the SSLFormFallback thing again?

It's tough to tell. At any rate, here's the link for the OP:
http://wiki.apache.org/tomcat/SSLWithFORMFallback

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk85f0cACgkQ9CaO5/Lv0PCGswCfQYAJWL099gO+Qe7/Q7nrKtrl
GJUAni7zQNZyWjonMnygEmCraQXsGf/+
=XBwa
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: controlling Server Authentication only vs Mutual authentication

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pid,

On 2/13/12 3:39 PM, Pid wrote:
> On 13/02/2012 17:42, Christopher Schultz wrote:
>> Sanjeev,
>> 
>> On 2/9/12 11:17 AM, Sanjeev Sharma wrote:
>>> I work on an java web-app running on Tomcat 7. The entire 
>>> application is required be doing SSL on port 443 (everything is
>>>  accessed via https://). Two different login options are given
>>> to the user : username/password or client certificate
>>> authentication. We employ application-managed security as
>>> opposed to contain-manage (i.e. we don't use realms). I have
>>> the following connector in my server.xml:
>> 
>>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" 
>>> maxThreads="150" scheme="https" secure="true" 
>>> keystoreFile="d:\certs\server_cert.jks" keystorePass="changeit"
>>>  truststoreFile="d:\certs\truststore.jks"
>>> truststorePass="changeit" clientAuth="true" sslProtocol="TLS"
>>> />
>> 
>> 
>>> This forces mutual authentication on anything I try to access 
>>> using https. How can I configure tomcat so that only specific
>>> links (a specific struts action for example) would require
>>> mutual authentication or how can I exclude from the mutual 
>>> authentication.
>> 
>> I think what you want is clientAuth="want" and then you can
>> maybe write a Filter that requires certain SSL certificate
>> features in order to pass-through. Then, just map your Filter to
>> those areas that require (additional?) SSL authentication.
> 
> Is this a variation on the SSLFormFallback thing again?

It's tough to tell. At any rate, here's the link for the OP:
http://wiki.apache.org/tomcat/SSLWithFORMFallback

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk85f0cACgkQ9CaO5/Lv0PCGswCfQYAJWL099gO+Qe7/Q7nrKtrl
GJUAni7zQNZyWjonMnygEmCraQXsGf/+
=XBwa
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: controlling Server Authentication only vs Mutual authentication

Posted by Pid <pi...@pidster.com>.

On 13/02/2012 17:42, Christopher Schultz wrote:
> Sanjeev,
> 
> On 2/9/12 11:17 AM, Sanjeev Sharma wrote:
>> I work on an java web-app running on Tomcat 7. The entire 
>> application is required be doing SSL on port 443 (everything is 
>> accessed via https://). Two different login options are given to
>> the user : username/password or client certificate authentication.
>> We employ application-managed security as opposed to
>> contain-manage (i.e. we don't use realms). I have the following
>> connector in my server.xml:
> 
>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" 
>> maxThreads="150" scheme="https" secure="true" 
>> keystoreFile="d:\certs\server_cert.jks" keystorePass="changeit" 
>> truststoreFile="d:\certs\truststore.jks" truststorePass="changeit" 
>> clientAuth="true" sslProtocol="TLS" />
> 
> 
>> This forces mutual authentication on anything I try to access
>> using https. How can I configure tomcat so that only specific links
>> (a specific struts action for example) would require mutual
>> authentication or how can I exclude from the mutual
>> authentication.
> 
> I think what you want is clientAuth="want" and then you can maybe
> write a Filter that requires certain SSL certificate features in order
> to pass-through. Then, just map your Filter to those areas that
> require (additional?) SSL authentication.

Is this a variation on the SSLFormFallback thing again?


p



-- 

[key:62590808]

Re: controlling Server Authentication only vs Mutual authentication

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sanjeev,

On 2/9/12 11:17 AM, Sanjeev Sharma wrote:
> I work on an java web-app running on Tomcat 7. The entire 
> application is required be doing SSL on port 443 (everything is 
> accessed via https://). Two different login options are given to
> the user : username/password or client certificate authentication.
> We employ application-managed security as opposed to
> contain-manage (i.e. we don't use realms). I have the following
> connector in my server.xml:
> 
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" 
> maxThreads="150" scheme="https" secure="true" 
> keystoreFile="d:\certs\server_cert.jks" keystorePass="changeit" 
> truststoreFile="d:\certs\truststore.jks" truststorePass="changeit" 
> clientAuth="true" sslProtocol="TLS" />
> 
> 
> This forces mutual authentication on anything I try to access
> using https. How can I configure tomcat so that only specific links
> (a specific struts action for example) would require mutual
> authentication or how can I exclude from the mutual
> authentication.

I think what you want is clientAuth="want" and then you can maybe
write a Filter that requires certain SSL certificate features in order
to pass-through. Then, just map your Filter to those areas that
require (additional?) SSL authentication.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk85S5YACgkQ9CaO5/Lv0PBjvACgsBRoSZItgNLAHitL26tRiyZi
kpwAoLZaJwAdka0o3OgkdcEgUyBYjpHm
=FfBJ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: controlling Server Authentication only vs Mutual authentication

Posted by Sanjeev Sharma <sa...@buchanan-edwards.com>.

Found a solution to this.  In case anyone is interested in, I gave my server two IP addresses and used two connectors with the two IP address in the "address=" field of the connectors.  I set one of them to "clientAuth="true" and the other "clientAuth=false".  I do have to do a "redirect" from one to the other when I would've preferred to "forward", but otherwise this solution works.

-----Original Message-----
From: Sanjeev Sharma [mailto:sanjeev.sharma@buchanan-edwards.com] 
Sent: Thursday, February 09, 2012 11:18 AM
To: Tomcat Users List
Subject: controlling Server Authentication only vs Mutual authentication

Hi,

I work on an java web-app running on Tomcat 7.  The entire application is required be doing SSL on port 443 (everything is accessed via https://).  Two different login options are given to the user : username/password or client certificate authentication.  We employ application-managed security as opposed to contain-manage (i.e. we don't use realms).  I have the following connector in my server.xml :

<Connector port="443"
           protocol="HTTP/1.1"
           SSLEnabled="true"
           maxThreads="150"
           scheme="https"
           secure="true"
           keystoreFile="d:\certs\server_cert.jks"
           keystorePass="changeit"
           truststoreFile="d:\certs\truststore.jks"
           truststorePass="changeit"
           clientAuth="true"
           sslProtocol="TLS" />

This forces mutual authentication on anything I try to access using https.  How can I configure tomcat so that only specific links (a specific struts action for example) would require mutual authentication or how can I exclude from the mutual authentication.

Thanks,
Sanjeev.