Greetings fellow Tomcat-ers:
I'm trying enable client certificate authentication on a per-webapp
basis using Tomcat 6.0.24. According to the various sources of
documentation I've found, this should be possible by enabling the SSL
Connector (which I've done), getting client certificate authenticat
On 2/17/10, Mark Thomas wrote:
> On 17/02/2010 23:48, Kevin Mills wrote:
>> Can anyone tell me what's going on here?
>
> CVE-2009-3555?
>
> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
> search for
> allowUnsafeLegacyRenegotiation
Thanks for your r
On 2/17/10, Mark Thomas wrote:
> Then you probably haven't got your config quite right. There are plenty
> of things to go wrong with this but this definitely works - I was using
> it just the other day.
>
> We'll need to see:
> - connector element from server.xml
> - web.xml
> - tomcat-users.xml
On 2/17/10, Mark Thomas wrote:
>
>
>> :-) "Doesn't work", meaning I don't get prompted for my certificate.
>> I see my servlet's output without any sort of authentication.
>
> What URL are you requesting? Only index.jsp will prompt for a cert. Your
> servlet will just require SSL to be used.
Oo
On 2/17/10, Mark Thomas wrote:
> The rules on how security constraints combine are in the Servlet spec.
> It can take a bit of time to get your head around it.
>
> To require a cert for your servlet too, one option would be:
>
>
>
> Everything
> /*
>
On 2/17/10, Mark Thomas wrote:
> CVE-2009-3555?
Now that this is working, I'd like to ask what other options exist for
using client certificate authentication on a per-webapp basis.
Requiring my customers to enable a feature
(allowUnsafeLegacyRenegotiation) that exposes them to a potential
man-i
On 2/18/10, Christopher Schultz wrote:
>
> Stupid question: don't you want clientAuth="true"?
>
In this particular case, no. I don't want to force client certificate
authentication for all SSL connections coming to port 8443. Instead,
I am looking to do client certificate authentication on a pe
On 2/19/10, Christopher Schultz wrote:
> On 2/19/2010 1:48 AM, Jason Brittain wrote:
>> Nope. clientAuth="false" means that the webapp's web.xml specifies which
>> resources require the client certificate.
>
> Gotcha: I thought that "false" would cause the connector to ignore all
> client cert in
On 2/19/10, Christopher Schultz wrote:
> So, with clientAuth="false", how do you get a client certificate to use
> for authentication? Or, does the presence of the CLIENT-CERT in web.xml
> trigger an SSL-renegotiation where the client cert /is/ requested from
> the client.
The presence of CLIENT-