On 2014-12-02 04:55, John Dunn wrote:
I have been asked the following question during an audit, which I personally
don't understand.
"When using Mutually authenticated TLS is authorisation based on the certificate
name(and not just on the root CA)?"
Can anyone clarify what exactly this means and whether Tomcat supports this?
Cheers
I believe the question is asking whether, during the authentication
process, Tomcat inspects the certificate and reads the CN of the client
cert, then matches it against the set of known users (defined in
whatever Realm you are using).
I found out just yesterday that the answer is yes, at least for Tomcat 7.
There are really two things going on with the client certs in mutual
authentication. First, the server requests the client cert in order to
complete the TLS handshake and establish a connection. Next, *after* the
TLS connection is open, if the resource being accessed has an
auth-constraint in web.xml, Tomcat checks the CN, matches it to a user
name, maps that name to a role, and checks that the role is allowed to
access the resource.
As I discovered yesterday, if you have a client cert that is signed by a
CA that Tomcat trusts, but whose name (synonymously, CN) does not map to
a recognized user, then you will connect to Tomcat but get an HTTP 401
error as your response. If the user name is recognized but lacks the
required role, you get HTTP 403.
Hope this helps,
--
Andrew Gronosky
Raytheon BBN Technologies
10 Moulton Street
Cambridge, MA 02138
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
