You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Kannan J <ka...@yahoo.co.in> on 2011/02/03 20:20:07 UTC
CLIENT-CERT configuration doesn't work for servlet.
In web.xml of a war file I’m forcing ssl to be used for a particular servlet. Tomcat has been configured for client authentication.
<!-- Force SSL for entire site -->
<security-constraint>
<web-resource-collection>
<web-resource-name>RUSA Authentication</web-resource-name>
<url-pattern>/ClientCertSignServlet</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
When I try to access the servlet (using http url) , it immediately returns 302 permanently moved. It is supposed to ask the user to choose a certificate from the list of available certificates in the browser cert store and use it for client authentication. How to get it working?
Thanks
Kannan
Re: CLIENT-CERT configuration doesn't work for servlet.
Posted by Kannan J <ka...@yahoo.co.in>.
>>> You have http://host/ClientCertSignServlet configured to redirect to
https://host/ClientCertSignServlet due to the <transport-guarantee>. Did
you expect some other response than 302? <<<<<
When I enable client authentication on tomcat, I'm not able to open the https url, it says page cannot be displayed. I can't find what status code it is, as it is all encrypted on the network, but I could see that some step of the handshake had been attempted, and I see a list of CA (Certifying Authority) names amongs the encrypted junk of text. These CA names are those configured as "Intermediate Certifying Authorities" on the browser cert store. I'm not sure why these are required to be sent on the network, I thought the browser should send the certificate from the "Personal Certificate" store as this is the keystore of the browser (whose issuing CA I have added to the truststore on tomcat), but it does not seem to be sending the personal certificate.
thanks
Kannan
--- On Fri, 4/2/11, Christopher Schultz <ch...@christopherschultz.net> wrote:
From: Christopher Schultz <ch...@christopherschultz.net>
Subject: Re: CLIENT-CERT configuration doesn't work for servlet.
To: "Tomcat Users List" <us...@tomcat.apache.org>
Date: Friday, 4 February, 2011, 1:54 AM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kannan,
On 2/3/2011 2:20 PM, Kannan J wrote:
> In web.xml of a war file I’m forcing ssl to be used for a particular
> servlet. Tomcat has been configured for client authentication.
>
> <!-- Force SSL for entire site -->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>RUSA Authentication</web-resource-name>
> <url-pattern>/ClientCertSignServlet</url-pattern>
> </web-resource-collection>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> <realm-name>Client Cert Users-only Area</realm-name>
> </login-config>
>
> When I try to access the servlet (using http url) , it immediately
> returns 302 permanently moved. It is supposed to ask the user to choose
> a certificate from the list of available certificates in the browser
> cert store and use it for client authentication. How to get it working?
You have http://host/ClientCertSignServlet configured to redirect to
https://host/ClientCertSignServlet due to the <transport-guarantee>. Did
you expect some other response than 302?
SSL client certificates can't be negotiated over HTTP... you need HTTPS.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1LDukACgkQ9CaO5/Lv0PBaXwCfdbp5epSvyjuwRRRd4fgZh2Kr
YdUAoKOcGe15s0Q+2UccCQpoNCz55Z3Q
=mGdv
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: CLIENT-CERT configuration doesn't work for servlet.
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kannan,
On 2/3/2011 2:20 PM, Kannan J wrote:
> In web.xml of a war file I’m forcing ssl to be used for a particular
> servlet. Tomcat has been configured for client authentication.
>
> <!-- Force SSL for entire site -->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>RUSA Authentication</web-resource-name>
> <url-pattern>/ClientCertSignServlet</url-pattern>
> </web-resource-collection>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> <realm-name>Client Cert Users-only Area</realm-name>
> </login-config>
>
> When I try to access the servlet (using http url) , it immediately
> returns 302 permanently moved. It is supposed to ask the user to choose
> a certificate from the list of available certificates in the browser
> cert store and use it for client authentication. How to get it working?
You have http://host/ClientCertSignServlet configured to redirect to
https://host/ClientCertSignServlet due to the <transport-guarantee>. Did
you expect some other response than 302?
SSL client certificates can't be negotiated over HTTP... you need HTTPS.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1LDukACgkQ9CaO5/Lv0PBaXwCfdbp5epSvyjuwRRRd4fgZh2Kr
YdUAoKOcGe15s0Q+2UccCQpoNCz55Z3Q
=mGdv
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org