-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Nathan,
On 10/1/14 12:16 PM, Nathan Quirynen wrote: > On 01/10/14 18:08, Christopher Schultz wrote: Nathan, > > On 10/1/14 10:02 AM, Nathan Quirynen wrote: >>>> Hi Tomcat users, >>>> >>>> A current application has client authentication configured in >>>> the SSL Connector (server.xml): >>>> >>>> <Connector port="8443" ... clientAuth="true" >>>> keystoreFile=".keystore" keystorePass="..." >>>> truststoreFile=".truststore" truststorePass="..." /> >>>> >>>> And the CA root certificates have been added to the >>>> truststore. >>>> >>>> This way it asks for a client certificate in any case, which >>>> works and is fine for this application. For a new application >>>> the use case is a bit different. I only need client >>>> authentication for a specific defined path (for example: >>>> /secured/*). After some research I found this was possible >>>> with defining this on application level in the web.xml file. >>>> So I changed my configuration to: >>>> >>>> server.xml: >>>> >>>> <Connector port="8443" ... clientAuth="false" >>>> keystoreFile=".keystore" keystorePass="..." >>>> truststoreFile=".truststore" truststorePass="..." /> >>>> >>>> web.xml: >>>> >>>> <security-constraint> <web-resource-collection> >>>> <web-resource-name>Secureconn</web-resource-name> >>>> <url-pattern>/secured/*</url-pattern> >>>> <http-method>GET</http-method> </web-resource-collection> >>>> <auth-constraint> <role-name>secureconn</role-name> >>>> </auth-constraint> </security-constraint> <login-config> >>>> <auth-method>CLIENT-CERT</auth-method> >>>> <realm-name>Secureconn</realm-name> </login-config> >>>> <security-role> <role-name>secureconn</role-name> >>>> </security-role> >>>> >>>> >>>> In this case it actually only asks for client authentication >>>> when going to for example "secured/home" page. But I'm >>>> getting a 401 message code. >>>> >>>> What am I missing to get people authenticated based on the CA >>>> root certificates that are in the configured truststore? Is >>>> it even possible what I am trying? > What happens if you change clientAuth="false" to > clientAuth="want"? > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > Hey Chris, > > If I change it to want I still get the same error: > > HTTP Status 401 - Cannot authenticate with the provided > credentials So just to be sure, the only difference between the application you have that is working and the one that is not working is that you have a different <url-pattern> in your web.xml? Generally speaking, Tomcat will authenticate the client certificate just using the configuration at the <Connector> level. Using CLIENT-CERT in the application is used for application credentials -- such as establishing roles to be used with role-based permissions. Do you intend to use role-based permissions and all that other stuff, or do you just want to make sure that the client has a valid certificate? If you just want to make sure that the certificate is valid, then you want to use clientAuth="want" and remove the configuration you have from web.xml. Next, you will need to write a Filter that grabs the X509 certificate from the request and does manual checking. You might be able to get some help from a series of posts I wrote a few years ago about manually-handling X509 certificates: http://markmail.org/message/kzxsamuiu6bldjmv Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJULYSZAAoJEBzwKT+lPKRYorwP/1GT+aPdAK5Vu2piCp+4ZDXQ kGm42DzD0FBM8oKI2vgPj/hvOTEYC+e7EndxxUbhaSoek0O71hlEeWfnhrCt3lNs xKHBhwXHeVwxOkSHsjZKfzHqoJgHhMBBVU5rQHQ1mwIT71bayNSYVuG/QRZFffoM lef1YTql+jt+LOgfJauD/yozYG2fblEMMEcUWfBtpruEFVns6Vu2m5vwKwn7si2K 13SjiqoULIOf6FkiKXiCewXACq98KLbjo21m5SkUNDgFiE6wWquOX/uyQBBP8n+p B2H6b6YlQAj1KOBtH+yd+0vnW6BwjI9ZxHDfT7t8Ii1zBwUDFj3QZOJ5RXFwteQR cFjJXxmRliD/EuEfjZuHD5U9d51Eq44RU6p3/8cuIg90gx8fPYBULJimXRX6v4ca EdTmqnJyxZeh2WoNAY2k+24OxwwxKSZUErxm0biBAy/wcqT1O1ePkaCI6YQx1Vkj TnHxleVWvr2FpZDp1apmTcgzP0gBnD6fOG8ltf8Nqe/Ax4l6nhdK3Q19YLTt2Q2z IKX7oUOYru0GNuICtsNYz0EprzdMxnv28v3SBYLSfHln9J5WWtfBeOlKxMPmP0Fg ZJG/X/zUUC2IxDNe6u7ZdZr/vqxDLyZxc74ugiVIxveutzrXOHdxnPRIzbEXjYIC umadSoe7yZwlcEAAQFG/ =bMuo -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
