You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Dave Breeze <da...@gmail.com> on 2023/02/01 11:17:12 UTC
Re: Tomcat client certicate authentication
Chris
thanks for your mail
Apologies for confusion. Yes I am requesting certificates
- sslCon.setProperty("clientAuth", "required") and a user can only connect
by supplying a valid certificate.
I removed constraints from the web.xml as I did not want access to a
servlet restricted to a role - I need the servlet to respond
differently based on role. what I have decided to do in the servlet is to
retrieve the user-id from the certificate and determine their role by using
a security product native to the platform on which Tomcat is running
Thanks for your help.
Dave Breeze
Linkedin:https://uk.linkedin.com/in/dabreeze
On Mon, 30 Jan 2023 at 15:41, Christopher Schultz <
chris@christopherschultz.net> wrote:
> Dave,
>
> On 1/30/23 04:21, Dave Breeze wrote:
> > Thanks Chris
> > the application is requesting certificate authentication - and this is
> > working - it is just the mapping of users to roles that is not
> > happening
>
> No, the server is requesting the certificate information; the
> application is not. From your original posting:
>
>
> On 1/28/23 09:28, Dave Breeze wrote:
> > There are no security constraints on the apps web.xml.
>
> With no security constraints, the application is not requesting
> authentication. Tomcat therefore does not provide any "authentication
> information" to the application. If the client sends a certificate
> (which is happening at the request of the /server/), then Tomcat will
> forward that certificate information to the application. But it will not
> use it for any kind of authentication or authorization.
>
> > I implemented an org.apache.catalina.realm.X509UsernameRetriever and
> > configured using X509UsernameRetrieverClassName but it was never
> > called. In my servlet, however, I can retrieve the certificates.
>
> That's consistent with your configuration IMO.
>
> You will have to tell your application to use CLIENT-CERT authentication
> if you want Tomcat to parse that cert chain for you, populate the user
> principal, etc.
>
> -chris
>
> > On Sun, 29 Jan 2023 at 22:21, Christopher Schultz
> > <ch...@christopherschultz.net> wrote:
> >>
> >> Dave,
> >>
> >> On 1/28/23 09:28, Dave Breeze wrote:
> >>> this is Tomcat 9.0 running embedded
> >>>
> >>> I am trying to authorize access by client certificate. I want the
> >>> servlet response to be tailored to the user's role. In other words I
> >>> am not looking to deny access by role.
> >>>
> >>> The connector has sslCon.setProperty("clientAuth", "required");
> >>> The context has a config file set
> serverAppContext.setConfigFile(contextURL);
> >>> The config file contains
> >>>
> >>> <?xml version="1.0" encoding="UTF-8"?>
> >>> <Context>
> >>> <Realm className="org.apache.catalina.realm.MemoryRealm"
> >>> debug="9"
> >>> pathname="/var/CartS3Server/cartapp/users.xml"/>
> >>> </Context>
> >>>
> >>> users.xml contains
> >>>
> >>> <?xml version='1.0' encoding='utf-8'?>
> >>> <tomcat-users>
> >>> <role rolename="cart-admin"/>
> >>> <role rolename="cart-user"/>
> >>> <user username="CN=TTSDB1,OU=CART,O=CART" password=""
> roles="cart-user"/>
> >>> <user username="CN=TTSDB2,OU=CART,O=CART" password=""
> roles="cart-admin"/>
> >>> </tomcat-users>
> >>>
> >>>
> >>> Certificates are imported into the browser and the browser prompts for
> >>> cert selection.
> >>>
> >>> There are no security constraints on the apps web.xml.
> >>>
> >>> In the servlet there is a test of httpReq.isUserInRole("cart-admin").
> >>> This always fails. Also a req.getUserPrincipal() call always returns
> >>> null. The request does not seem to be authenticated.
> >> >
> >>> Further in the servlet a X509Certificate[] certs = (X509Certificate[])
> >>> req.getAttribute("javax.servlet.request.X509Certificate") correctly
> >>> returns both the certificate from the browser plus the Cert Auth. A
> >>> getSubjectX500Principal().getName() call on the browser certificate
> >>> returns the cn/o/ou setting that should match with users.xml.
> >>>
> >>> What am I missing here?
> >>
> >> If the application does not request authentication, Tomcat will not
> >> perform if on behalf of the application. If you want a Principal and to
> >> be able to check roles, etc. then you'll need to request CLIENT-CERT
> >> authentication in web.xml (or the embedded equivalent).
> >>
> >> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
AW: Tomcat client certicate authentication
Posted by "Thomas Hoffmann (Speed4Trade GmbH)" <Th...@speed4trade.com.INVALID>.
Hello Dave,
> -----Ursprüngliche Nachricht-----
> Von: Dave Breeze <da...@gmail.com>
> Gesendet: Mittwoch, 1. Februar 2023 12:17
> An: Tomcat Users List <us...@tomcat.apache.org>
> Betreff: Re: Tomcat client certicate authentication
>
> Chris
> thanks for your mail
> Apologies for confusion. Yes I am requesting certificates
> - sslCon.setProperty("clientAuth", "required") and a user can only connect by
> supplying a valid certificate.
>
> I removed constraints from the web.xml as I did not want access to a servlet
> restricted to a role - I need the servlet to respond differently based on role.
> what I have decided to do in the servlet is to retrieve the user-id from the
> certificate and determine their role by using a security product native to the
> platform on which Tomcat is running
>
> Thanks for your help.
>
> Dave Breeze
> Linkedin:https://uk.linkedin.com/in/dabreeze
>
I think you need constraints in your web.xml. Otherwise Tomcat won't ask for authentication.
Something like:
<security-constraint>
<web-resource-collection>
<web-resource-name>protected area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>my-role</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>my-role</role-name>
</security-role>
Otherwise the user is treated as an anonymous user without any identity.
Greetings, Thomas
>
> On Mon, 30 Jan 2023 at 15:41, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
> > Dave,
> >
> > On 1/30/23 04:21, Dave Breeze wrote:
> > > Thanks Chris
> > > the application is requesting certificate authentication - and this
> > > is working - it is just the mapping of users to roles that is not
> > > happening
> >
> > No, the server is requesting the certificate information; the
> > application is not. From your original posting:
> >
> >
> > On 1/28/23 09:28, Dave Breeze wrote:
> > > There are no security constraints on the apps web.xml.
> >
> > With no security constraints, the application is not requesting
> > authentication. Tomcat therefore does not provide any "authentication
> > information" to the application. If the client sends a certificate
> > (which is happening at the request of the /server/), then Tomcat will
> > forward that certificate information to the application. But it will
> > not use it for any kind of authentication or authorization.
> >
> > > I implemented an org.apache.catalina.realm.X509UsernameRetriever
> and
> > > configured using X509UsernameRetrieverClassName but it was never
> > > called. In my servlet, however, I can retrieve the certificates.
> >
> > That's consistent with your configuration IMO.
> >
> > You will have to tell your application to use CLIENT-CERT
> > authentication if you want Tomcat to parse that cert chain for you,
> > populate the user principal, etc.
> >
> > -chris
> >
> > > On Sun, 29 Jan 2023 at 22:21, Christopher Schultz
> > > <ch...@christopherschultz.net> wrote:
> > >>
> > >> Dave,
> > >>
> > >> On 1/28/23 09:28, Dave Breeze wrote:
> > >>> this is Tomcat 9.0 running embedded
> > >>>
> > >>> I am trying to authorize access by client certificate. I want the
> > >>> servlet response to be tailored to the user's role. In other words
> > >>> I am not looking to deny access by role.
> > >>>
> > >>> The connector has sslCon.setProperty("clientAuth", "required");
> > >>> The context has a config file set
> > serverAppContext.setConfigFile(contextURL);
> > >>> The config file contains
> > >>>
> > >>> <?xml version="1.0" encoding="UTF-8"?> <Context>
> > >>> <Realm className="org.apache.catalina.realm.MemoryRealm"
> > >>> debug="9"
> > >>> pathname="/var/CartS3Server/cartapp/users.xml"/>
> > >>> </Context>
> > >>>
> > >>> users.xml contains
> > >>>
> > >>> <?xml version='1.0' encoding='utf-8'?> <tomcat-users>
> > >>> <role rolename="cart-admin"/>
> > >>> <role rolename="cart-user"/>
> > >>> <user username="CN=TTSDB1,OU=CART,O=CART" password=""
> > roles="cart-user"/>
> > >>> <user username="CN=TTSDB2,OU=CART,O=CART" password=""
> > roles="cart-admin"/>
> > >>> </tomcat-users>
> > >>>
> > >>>
> > >>> Certificates are imported into the browser and the browser prompts
> > >>> for cert selection.
> > >>>
> > >>> There are no security constraints on the apps web.xml.
> > >>>
> > >>> In the servlet there is a test of httpReq.isUserInRole("cart-admin").
> > >>> This always fails. Also a req.getUserPrincipal() call always
> > >>> returns null. The request does not seem to be authenticated.
> > >> >
> > >>> Further in the servlet a X509Certificate[] certs =
> > >>> (X509Certificate[])
> > >>> req.getAttribute("javax.servlet.request.X509Certificate")
> > >>> correctly returns both the certificate from the browser plus the
> > >>> Cert Auth. A
> > >>> getSubjectX500Principal().getName() call on the browser
> > >>> certificate returns the cn/o/ou setting that should match with
> users.xml.
> > >>>
> > >>> What am I missing here?
> > >>
> > >> If the application does not request authentication, Tomcat will not
> > >> perform if on behalf of the application. If you want a Principal
> > >> and to be able to check roles, etc. then you'll need to request
> > >> CLIENT-CERT authentication in web.xml (or the embedded equivalent).
> > >>
> > >> -chris
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
Re: Tomcat client certicate authentication
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Dave,
On 2/1/23 06:17, Dave Breeze wrote:
> Chris
> thanks for your mail
> Apologies for confusion. Yes I am requesting certificates
> - sslCon.setProperty("clientAuth", "required") and a user can only connect
> by supplying a valid certificate.
>
> I removed constraints from the web.xml as I did not want access to a
> servlet restricted to a role - I need the servlet to respond
> differently based on role.
You can set the role in your security-constraint to '*' which means "any
authenticated user regardless of role."
> what I have decided to do in the servlet is to retrieve the user-id
> from the certificate and determine their role by using a security
> product native to the platform on which Tomcat is running
Hope that helps,
-chris
> On Mon, 30 Jan 2023 at 15:41, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
>> Dave,
>>
>> On 1/30/23 04:21, Dave Breeze wrote:
>>> Thanks Chris
>>> the application is requesting certificate authentication - and this is
>>> working - it is just the mapping of users to roles that is not
>>> happening
>>
>> No, the server is requesting the certificate information; the
>> application is not. From your original posting:
>>
>>
>> On 1/28/23 09:28, Dave Breeze wrote:
>> > There are no security constraints on the apps web.xml.
>>
>> With no security constraints, the application is not requesting
>> authentication. Tomcat therefore does not provide any "authentication
>> information" to the application. If the client sends a certificate
>> (which is happening at the request of the /server/), then Tomcat will
>> forward that certificate information to the application. But it will not
>> use it for any kind of authentication or authorization.
>>
>>> I implemented an org.apache.catalina.realm.X509UsernameRetriever and
>>> configured using X509UsernameRetrieverClassName but it was never
>>> called. In my servlet, however, I can retrieve the certificates.
>>
>> That's consistent with your configuration IMO.
>>
>> You will have to tell your application to use CLIENT-CERT authentication
>> if you want Tomcat to parse that cert chain for you, populate the user
>> principal, etc.
>>
>> -chris
>>
>>> On Sun, 29 Jan 2023 at 22:21, Christopher Schultz
>>> <ch...@christopherschultz.net> wrote:
>>>>
>>>> Dave,
>>>>
>>>> On 1/28/23 09:28, Dave Breeze wrote:
>>>>> this is Tomcat 9.0 running embedded
>>>>>
>>>>> I am trying to authorize access by client certificate. I want the
>>>>> servlet response to be tailored to the user's role. In other words I
>>>>> am not looking to deny access by role.
>>>>>
>>>>> The connector has sslCon.setProperty("clientAuth", "required");
>>>>> The context has a config file set
>> serverAppContext.setConfigFile(contextURL);
>>>>> The config file contains
>>>>>
>>>>> <?xml version="1.0" encoding="UTF-8"?>
>>>>> <Context>
>>>>> <Realm className="org.apache.catalina.realm.MemoryRealm"
>>>>> debug="9"
>>>>> pathname="/var/CartS3Server/cartapp/users.xml"/>
>>>>> </Context>
>>>>>
>>>>> users.xml contains
>>>>>
>>>>> <?xml version='1.0' encoding='utf-8'?>
>>>>> <tomcat-users>
>>>>> <role rolename="cart-admin"/>
>>>>> <role rolename="cart-user"/>
>>>>> <user username="CN=TTSDB1,OU=CART,O=CART" password=""
>> roles="cart-user"/>
>>>>> <user username="CN=TTSDB2,OU=CART,O=CART" password=""
>> roles="cart-admin"/>
>>>>> </tomcat-users>
>>>>>
>>>>>
>>>>> Certificates are imported into the browser and the browser prompts for
>>>>> cert selection.
>>>>>
>>>>> There are no security constraints on the apps web.xml.
>>>>>
>>>>> In the servlet there is a test of httpReq.isUserInRole("cart-admin").
>>>>> This always fails. Also a req.getUserPrincipal() call always returns
>>>>> null. The request does not seem to be authenticated.
>>>> >
>>>>> Further in the servlet a X509Certificate[] certs = (X509Certificate[])
>>>>> req.getAttribute("javax.servlet.request.X509Certificate") correctly
>>>>> returns both the certificate from the browser plus the Cert Auth. A
>>>>> getSubjectX500Principal().getName() call on the browser certificate
>>>>> returns the cn/o/ou setting that should match with users.xml.
>>>>>
>>>>> What am I missing here?
>>>>
>>>> If the application does not request authentication, Tomcat will not
>>>> perform if on behalf of the application. If you want a Principal and to
>>>> be able to check roles, etc. then you'll need to request CLIENT-CERT
>>>> authentication in web.xml (or the embedded equivalent).
>>>>
>>>> -chris
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org