r
https. The way currently is implemented, is for the "Smartcard" for the servlet
to detect that the "Smartcard" has been pressed and to 302 to a specially
designated https connector that has
"clientAuth="true"+"trustManagerClassName=... AnyCertX509TrustMa
Hi Mark,
Thank you for the settings. I am not sure what is the APR/native connector
version, I am using the default APR/native connector in 6.0.29 (I do not
set/change APR on my Windows machine).
I am not sure why the client certificate authentication failed when my
client certificate was signed
On 12/11/2010 16:27, Goo Sam Kong wrote:
> Hi
>
> I am running Tomcat 6.0.29 with JDK 1.6.0_22 on Windows XP.
APR/native connector version? SSL re-negotiation wasn't supported until
recently and the CVE-2009-3555 fixes further complicate things.
> SSLCertificateFile="C:\usr\tomcat\to
Hi
I am running Tomcat 6.0.29 with JDK 1.6.0_22 on Windows XP.
I changed server.xml as below.
> -Original Message-
> From: acastanheira2001
> Sent: Monday, April 26, 2010 8:35
> Subject: Re: Client cert authentication
>
>
> Thanks again Mark,
>
> I think it will be difficult to move to Tomcat 6 soon. If I
> change mod_proxy to mod_jk, does mod_j
ommands, e-mail: users-h...@tomcat.apache.org
>
>
>
--
View this message in context:
http://old.nabble.com/Client-cert-authentication-tp28287654p28364194.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---
On 22/04/2010 20:00, acastanheira2001 wrote:
>
> Thanks Mark,
>
> I use mod_proxy (ProxyPass and ProxyReverse) to connect Apache (2.2.3) to
> Tomcat(5.5)/Jboss (4.2). Can mod_proxy pass client cert to Tomcat?
With 5.5.x, not with out some custom code. With 6.0.x, yes.
You'd need to port this to
need to have
>> a
>> keystore and https set?
>
> No.
>
> Mark
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.a
On 19/04/2010 13:05, acastanheira2001 wrote:
>
> Hi,
>
> I have an apache server in front of Tomcat/Jboss, the former receives the
> client cert and does revocation list and trust validation.
>
> I need to pass the client cert to Tomcat only to check the SubjectAltNames.
>
> As far as trust acc
keystore and https set?
Thanks,
André
--
View this message in context:
http://old.nabble.com/Client-cert-authentication-tp28287654p28287654.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To unsubscribe, e
On 24/02/2010 15:03, Christopher Schultz wrote:
So, setting to CLIENT-CERT triggers an SSL renegotiation.
What if the is set to clientAuth="want" or
clientAuth="true"? Will the initial SSL negotiation carry the client
certificate and therefore avoid CVE-2009-355?
Yes. But test carefully as th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kevin,
On 2/23/2010 6:07 PM, Kevin Mills wrote:
> On 2/19/10, Christopher Schultz wrote:
>> So, with clientAuth="false", how do you get a client certificate to use
>> for authentication? Or, does the presence of the CLIENT-CERT in web.xml
>> trigger
bilité
pour le contenu fourni.
> Date: Tue, 23 Feb 2010 15:07:03 -0800
> Subject: Re: Trouble with CLIENT-CERT authentication method
> From: kevmacmi...@gmail.com
> To: users@tomcat.apache.org
>
> On 2/19/10, Christopher Schultz wrote:
> > So, with clientAuth="false", h
On 2/19/10, Christopher Schultz wrote:
> So, with clientAuth="false", how do you get a client certificate to use
> for authentication? Or, does the presence of the CLIENT-CERT in web.xml
> trigger an SSL-renegotiation where the client cert /is/ requested from
> the client.
The presence of CLIENT-
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kevin,
On 2/19/2010 2:18 PM, Kevin Mills wrote:
> On 2/19/10, Christopher Schultz wrote:
>> On 2/19/2010 1:48 AM, Jason Brittain wrote:
>>> Nope. clientAuth="false" means that the webapp's web.xml specifies which
>>> resources require the client cer
On 2/19/10, Christopher Schultz wrote:
> On 2/19/2010 1:48 AM, Jason Brittain wrote:
>> Nope. clientAuth="false" means that the webapp's web.xml specifies which
>> resources require the client certificate.
>
> Gotcha: I thought that "false" would cause the connector to ignore all
> client cert in
On 2/18/10, Christopher Schultz wrote:
>
> Stupid question: don't you want clientAuth="true"?
>
In this particular case, no. I don't want to force client certificate
authentication for all SSL connections coming to port 8443. Instead,
I am looking to do client certificate authentication on a pe
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jason,
On 2/19/2010 1:48 AM, Jason Brittain wrote:
> Nope. clientAuth="false" means that the webapp's web.xml specifies which
> resources require the client certificate.
Gotcha: I thought that "false" would cause the connector to ignore all
client c
Christopher:
Nope. clientAuth="false" means that the webapp's web.xml specifies which
resources require the client certificate. See the Connector doc page's
description of the accepted values for the clientAuth attribute:
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
"clientAuth" is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kevin,
On 2/17/2010 7:24 PM, Kevin Mills wrote:
> Sure thing - here is my Connector element:
>
> maxThreads="50" scheme="https" secure="true"
>keystoreFile=".../tomcat.keystore" keystorePass="..."
>
On 18/02/2010 16:30, Kevin Mills wrote:
> On 2/17/10, Mark Thomas wrote:
>> CVE-2009-3555?
>
> Now that this is working, I'd like to ask what other options exist for
> using client certificate authentication on a per-webapp basis.
> Requiring my customers to enable a feature
> (allowUnsafeLegacy
On 2/17/10, Mark Thomas wrote:
> CVE-2009-3555?
Now that this is working, I'd like to ask what other options exist for
using client certificate authentication on a per-webapp basis.
Requiring my customers to enable a feature
(allowUnsafeLegacyRenegotiation) that exposes them to a potential
man-i
On 2/17/10, Mark Thomas wrote:
> The rules on how security constraints combine are in the Servlet spec.
> It can take a bit of time to get your head around it.
>
> To require a cert for your servlet too, one option would be:
>
>
>
> Everything
> /*
>
On 18/02/2010 00:42, Kevin Mills wrote:
> On 2/17/10, Mark Thomas wrote:
>>
>>
>>> :-) "Doesn't work", meaning I don't get prompted for my certificate.
>>> I see my servlet's output without any sort of authentication.
>>
>> What URL are you requesting? Only index.jsp will prompt for a cert. Your
On 2/17/10, Mark Thomas wrote:
>
>
>> :-) "Doesn't work", meaning I don't get prompted for my certificate.
>> I see my servlet's output without any sort of authentication.
>
> What URL are you requesting? Only index.jsp will prompt for a cert. Your
> servlet will just require SSL to be used.
Oo
On 18/02/2010 00:24, Kevin Mills wrote:
>
> MyServlet
> /myServlet
>
>
>
> MyApp
> /index.jsp
>
>
> X509
>
>
>
>
> Everything
>
On 2/17/10, Mark Thomas wrote:
> Then you probably haven't got your config quite right. There are plenty
> of things to go wrong with this but this definitely works - I was using
> it just the other day.
>
> We'll need to see:
> - connector element from server.xml
> - web.xml
> - tomcat-users.xml
On 18/02/2010 00:04, Kevin Mills wrote:
> On 2/17/10, Mark Thomas wrote:
>> On 17/02/2010 23:48, Kevin Mills wrote:
>>> Can anyone tell me what's going on here?
>>
>> CVE-2009-3555?
>>
>> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
>> search for
>> allowUnsafeLegacyRenegotiation
>
>
On 2/17/10, Mark Thomas wrote:
> On 17/02/2010 23:48, Kevin Mills wrote:
>> Can anyone tell me what's going on here?
>
> CVE-2009-3555?
>
> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
> search for
> allowUnsafeLegacyRenegotiation
Thanks for your reply - I did see that option and forg
On 17/02/2010 23:48, Kevin Mills wrote:
> Can anyone tell me what's going on here?
CVE-2009-3555?
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
search for
allowUnsafeLegacyRenegotiation
Mark
-
To unsubscribe, e-mai
ent certificate authentication
working for the Connector (this works for me), then setting
clientAuth="false" on the Connector and placing the following in the
webapp's web.xml:
CLIENT-CERT
I've tried various combinations of security constraints, roles,
realms, etc
Hi everybody,
I am trying to configure Apache Tomcat in https mode with two types of
resources:
1. Unprotected resources anryone can visit
2. Proteceted resources, where the client have to authenticate with a
certificate (issued by a known Certification Authohrity).
The problem is that till n
Hi,
is there a way to configure the APR connector in a way
that it requests a client certificate only if the client accesses
a resource that is protected by a security constraint?
This works with a Java connector if I specify the option
clientAuth=false.
The client certificate is not requested
how to get it to use "org.apache.catalina.realm.JAASRealm/1.0" ?
My web.xml still contains
BASIC
CUSTOMRealm
Thanks for any insight or pointers to documentation on Authenticators.
-Steve More
On 9/26/07, Edwin K. Brown wrote:
> I'm doing this to provide an _outline_ of what is n
I’m doing this to provide an _outline_ of what is needed to be done to get
CLIENT-CERT authentication and authorization working in Tomcat 6. This is high
level because each implementation will have to be done to suit your own needs.
This first part deals with the JAAS related code that you
oceed. On the login page, you have a link to the SSL easy access page.
Something like that... interesting project.
- Original Message -
From: "Nick Duan" <[EMAIL PROTECTED]>
To:
Sent: Wednesday, June 20, 2007 2:17 PM
Subject: Combining form-based authentication w
Is there anyway to allow both client-cert authentication and form-based
authentication to work together in Tomcat? or J2EE web servers in
general?
I'd like to have users to log in to an web app using either user cert or
username/password. If a user doesn't have a cert, the login page
Hi All,
I tried to config my webapp to authenticate user by CLIENT-CERT auth method.
my 1st test is using UserDatabaseRealm and add the client cert DN to
tomcat-user.xml. everything works great. However, when I tried to use
JAASRealm, it fail even my custom LoginModule always return true for
any
Hi
I know that Servlet specification 2.4 present four maners to authenticate
users (in a CMS way to do this): basic, digest, form or client-cert. What i
need is to provide a way to authenticate users by passwords or client
certificates at the same time. If a user has a certificate he can us
Hi,
I have been thinking about replacing the legacy username/password system
used today in my web-applications to use autentication with personal
certificates via client-cert authentication. The problem is that I need to
run multiple instances of the same web-application with different users in
40 matches
Mail list logo
