You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Sanjeev Sharma <sa...@buchanan-edwards.com> on 2012/02/09 17:17:38 UTC
controlling Server Authentication only vs Mutual authentication
Hi,
I work on an java web-app running on Tomcat 7. The entire application is required be doing SSL on port 443 (everything is accessed via https://). Two different login options are given to the user : username/password or client certificate authentication. We employ application-managed security as opposed to contain-manage (i.e. we don't use realms). I have the following connector in my server.xml :
<Connector port="443"
protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
keystoreFile="d:\certs\server_cert.jks"
keystorePass="changeit"
truststoreFile="d:\certs\truststore.jks"
truststorePass="changeit"
clientAuth="true"
sslProtocol="TLS" />
This forces mutual authentication on anything I try to access using https. How can I configure tomcat so that only specific links (a specific struts action for example) would require mutual authentication or how can I exclude from the mutual authentication.
Thanks,
Sanjeev.
RE: controlling Server Authentication only vs Mutual authentication
Posted by Sanjeev Sharma <sa...@buchanan-edwards.com>.
That's what I thought. Thanks anyway. This is good information!
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Tuesday, February 14, 2012 11:50 AM
To: Tomcat Users List
Subject: Re: controlling Server Authentication only vs Mutual authentication
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sanjeev,
On 2/13/12 11:01 PM, Sanjeev Sharma wrote:
> Thanks for your reply. If I set clientAuth="want" will it not ask
> me for a certificate every time I create a new session?
It will not ask for a certificate, but if you provide one, then it will
be used.
> And if I'm forwarding (or redirecting) from a page that only
> requires straight SSL with server authentication to one which
> requires mutual authentication, will it force the browser to prompt
> for a client certificate?
This won't work with forwarding, because that's all done after the
Connector has performed the SSL negotiation: if you want to change the
SSL rules, you'll have to perform a redirect to a location that
requires SSL. Or, I suppose, you could sniff the certificate at some
point and perform a redirect if you needed the certificate.
Cert negotiation is done at the SSL level (before your code even knows
there is a request) and I don't believe the webapp itself can tell
Tomcat how to respond because it's too late.
If you redirect to a place that requires a client certificate, then
the certificate will be requested. I'm fairly sure that means you'll
have to use a different port number or IP address, since you can't
have two different settings for "clientAuth" on a single connector:
you'll need two (or more).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk86kLsACgkQ9CaO5/Lv0PBprgCgurJCNmUu4PnunjGRCQCP7b0C
PD4An2hUad5YMctmWAR+h6vpGjxpTeql
=rzrP
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: controlling Server Authentication only vs Mutual authentication
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sanjeev,
On 2/13/12 11:01 PM, Sanjeev Sharma wrote:
> Thanks for your reply. If I set clientAuth="want" will it not ask
> me for a certificate every time I create a new session?
It will not ask for a certificate, but if you provide one, then it will
be used.
> And if I'm forwarding (or redirecting) from a page that only
> requires straight SSL with server authentication to one which
> requires mutual authentication, will it force the browser to prompt
> for a client certificate?
This won't work with forwarding, because that's all done after the
Connector has performed the SSL negotiation: if you want to change the
SSL rules, you'll have to perform a redirect to a location that
requires SSL. Or, I suppose, you could sniff the certificate at some
point and perform a redirect if you needed the certificate.
Cert negotiation is done at the SSL level (before your code even knows
there is a request) and I don't believe the webapp itself can tell
Tomcat how to respond because it's too late.
If you redirect to a place that requires a client certificate, then
the certificate will be requested. I'm fairly sure that means you'll
have to use a different port number or IP address, since you can't
have two different settings for "clientAuth" on a single connector:
you'll need two (or more).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk86kLsACgkQ9CaO5/Lv0PBprgCgurJCNmUu4PnunjGRCQCP7b0C
PD4An2hUad5YMctmWAR+h6vpGjxpTeql
=rzrP
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: controlling Server Authentication only vs Mutual authentication
Posted by Sanjeev Sharma <sa...@buchanan-edwards.com>.
Christopher/Pid,
Thanks for your reply. If I set clientAuth="want" will it not ask me for a certificate every time I create a new session? And if I'm forwarding (or redirecting) from a page that only requires straight SSL with server authentication to one which requires mutual authentication, will it force the browser to prompt for a client certificate?
Sanjeev.
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Monday, February 13, 2012 4:23 PM
To: Tomcat Users List
Subject: Re: controlling Server Authentication only vs Mutual authentication
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Pid,
On 2/13/12 3:39 PM, Pid wrote:
> On 13/02/2012 17:42, Christopher Schultz wrote:
>> Sanjeev,
>>
>> On 2/9/12 11:17 AM, Sanjeev Sharma wrote:
>>> I work on an java web-app running on Tomcat 7. The entire
>>> application is required be doing SSL on port 443 (everything is
>>> accessed via https://). Two different login options are given
>>> to the user : username/password or client certificate
>>> authentication. We employ application-managed security as
>>> opposed to contain-manage (i.e. we don't use realms). I have
>>> the following connector in my server.xml:
>>
>>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>>> maxThreads="150" scheme="https" secure="true"
>>> keystoreFile="d:\certs\server_cert.jks" keystorePass="changeit"
>>> truststoreFile="d:\certs\truststore.jks"
>>> truststorePass="changeit" clientAuth="true" sslProtocol="TLS"
>>> />
>>
>>
>>> This forces mutual authentication on anything I try to access
>>> using https. How can I configure tomcat so that only specific
>>> links (a specific struts action for example) would require
>>> mutual authentication or how can I exclude from the mutual
>>> authentication.
>>
>> I think what you want is clientAuth="want" and then you can
>> maybe write a Filter that requires certain SSL certificate
>> features in order to pass-through. Then, just map your Filter to
>> those areas that require (additional?) SSL authentication.
>
> Is this a variation on the SSLFormFallback thing again?
It's tough to tell. At any rate, here's the link for the OP:
http://wiki.apache.org/tomcat/SSLWithFORMFallback
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk85f0cACgkQ9CaO5/Lv0PCGswCfQYAJWL099gO+Qe7/Q7nrKtrl
GJUAni7zQNZyWjonMnygEmCraQXsGf/+
=XBwa
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: controlling Server Authentication only vs Mutual authentication
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Pid,
On 2/13/12 3:39 PM, Pid wrote:
> On 13/02/2012 17:42, Christopher Schultz wrote:
>> Sanjeev,
>>
>> On 2/9/12 11:17 AM, Sanjeev Sharma wrote:
>>> I work on an java web-app running on Tomcat 7. The entire
>>> application is required be doing SSL on port 443 (everything is
>>> accessed via https://). Two different login options are given
>>> to the user : username/password or client certificate
>>> authentication. We employ application-managed security as
>>> opposed to contain-manage (i.e. we don't use realms). I have
>>> the following connector in my server.xml:
>>
>>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>>> maxThreads="150" scheme="https" secure="true"
>>> keystoreFile="d:\certs\server_cert.jks" keystorePass="changeit"
>>> truststoreFile="d:\certs\truststore.jks"
>>> truststorePass="changeit" clientAuth="true" sslProtocol="TLS"
>>> />
>>
>>
>>> This forces mutual authentication on anything I try to access
>>> using https. How can I configure tomcat so that only specific
>>> links (a specific struts action for example) would require
>>> mutual authentication or how can I exclude from the mutual
>>> authentication.
>>
>> I think what you want is clientAuth="want" and then you can
>> maybe write a Filter that requires certain SSL certificate
>> features in order to pass-through. Then, just map your Filter to
>> those areas that require (additional?) SSL authentication.
>
> Is this a variation on the SSLFormFallback thing again?
It's tough to tell. At any rate, here's the link for the OP:
http://wiki.apache.org/tomcat/SSLWithFORMFallback
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk85f0cACgkQ9CaO5/Lv0PCGswCfQYAJWL099gO+Qe7/Q7nrKtrl
GJUAni7zQNZyWjonMnygEmCraQXsGf/+
=XBwa
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: controlling Server Authentication only vs Mutual authentication
Posted by Pid <pi...@pidster.com>.
On 13/02/2012 17:42, Christopher Schultz wrote:
> Sanjeev,
>
> On 2/9/12 11:17 AM, Sanjeev Sharma wrote:
>> I work on an java web-app running on Tomcat 7. The entire
>> application is required be doing SSL on port 443 (everything is
>> accessed via https://). Two different login options are given to
>> the user : username/password or client certificate authentication.
>> We employ application-managed security as opposed to
>> contain-manage (i.e. we don't use realms). I have the following
>> connector in my server.xml:
>
>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>> maxThreads="150" scheme="https" secure="true"
>> keystoreFile="d:\certs\server_cert.jks" keystorePass="changeit"
>> truststoreFile="d:\certs\truststore.jks" truststorePass="changeit"
>> clientAuth="true" sslProtocol="TLS" />
>
>
>> This forces mutual authentication on anything I try to access
>> using https. How can I configure tomcat so that only specific links
>> (a specific struts action for example) would require mutual
>> authentication or how can I exclude from the mutual
>> authentication.
>
> I think what you want is clientAuth="want" and then you can maybe
> write a Filter that requires certain SSL certificate features in order
> to pass-through. Then, just map your Filter to those areas that
> require (additional?) SSL authentication.
Is this a variation on the SSLFormFallback thing again?
p
--
[key:62590808]
Re: controlling Server Authentication only vs Mutual authentication
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sanjeev,
On 2/9/12 11:17 AM, Sanjeev Sharma wrote:
> I work on an java web-app running on Tomcat 7. The entire
> application is required be doing SSL on port 443 (everything is
> accessed via https://). Two different login options are given to
> the user : username/password or client certificate authentication.
> We employ application-managed security as opposed to
> contain-manage (i.e. we don't use realms). I have the following
> connector in my server.xml:
>
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> keystoreFile="d:\certs\server_cert.jks" keystorePass="changeit"
> truststoreFile="d:\certs\truststore.jks" truststorePass="changeit"
> clientAuth="true" sslProtocol="TLS" />
>
>
> This forces mutual authentication on anything I try to access
> using https. How can I configure tomcat so that only specific links
> (a specific struts action for example) would require mutual
> authentication or how can I exclude from the mutual
> authentication.
I think what you want is clientAuth="want" and then you can maybe
write a Filter that requires certain SSL certificate features in order
to pass-through. Then, just map your Filter to those areas that
require (additional?) SSL authentication.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk85S5YACgkQ9CaO5/Lv0PBjvACgsBRoSZItgNLAHitL26tRiyZi
kpwAoLZaJwAdka0o3OgkdcEgUyBYjpHm
=FfBJ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: controlling Server Authentication only vs Mutual authentication
Posted by Sanjeev Sharma <sa...@buchanan-edwards.com>.
Found a solution to this. In case anyone is interested in, I gave my server two IP addresses and used two connectors with the two IP address in the "address=" field of the connectors. I set one of them to "clientAuth="true" and the other "clientAuth=false". I do have to do a "redirect" from one to the other when I would've preferred to "forward", but otherwise this solution works.
-----Original Message-----
From: Sanjeev Sharma [mailto:sanjeev.sharma@buchanan-edwards.com]
Sent: Thursday, February 09, 2012 11:18 AM
To: Tomcat Users List
Subject: controlling Server Authentication only vs Mutual authentication
Hi,
I work on an java web-app running on Tomcat 7. The entire application is required be doing SSL on port 443 (everything is accessed via https://). Two different login options are given to the user : username/password or client certificate authentication. We employ application-managed security as opposed to contain-manage (i.e. we don't use realms). I have the following connector in my server.xml :
<Connector port="443"
protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
keystoreFile="d:\certs\server_cert.jks"
keystorePass="changeit"
truststoreFile="d:\certs\truststore.jks"
truststorePass="changeit"
clientAuth="true"
sslProtocol="TLS" />
This forces mutual authentication on anything I try to access using https. How can I configure tomcat so that only specific links (a specific struts action for example) would require mutual authentication or how can I exclude from the mutual authentication.
Thanks,
Sanjeev.