Chris
thanks for your mail
Apologies for confusion. Yes I am requesting certificates
- sslCon.setProperty("clientAuth", "required") and a user can only connect
by supplying a valid certificate.I removed constraints from the web.xml as I did not want access to a servlet restricted to a role - I need the servlet to respond differently based on role. what I have decided to do in the servlet is to retrieve the user-id from the certificate and determine their role by using a security product native to the platform on which Tomcat is running Thanks for your help. Dave Breeze Linkedin:https://uk.linkedin.com/in/dabreeze On Mon, 30 Jan 2023 at 15:41, Christopher Schultz < ch...@christopherschultz.net> wrote: > Dave, > > On 1/30/23 04:21, Dave Breeze wrote: > > Thanks Chris > > the application is requesting certificate authentication - and this is > > working - it is just the mapping of users to roles that is not > > happening > > No, the server is requesting the certificate information; the > application is not. From your original posting: > > > On 1/28/23 09:28, Dave Breeze wrote: > > There are no security constraints on the apps web.xml. > > With no security constraints, the application is not requesting > authentication. Tomcat therefore does not provide any "authentication > information" to the application. If the client sends a certificate > (which is happening at the request of the /server/), then Tomcat will > forward that certificate information to the application. But it will not > use it for any kind of authentication or authorization. > > > I implemented an org.apache.catalina.realm.X509UsernameRetriever and > > configured using X509UsernameRetrieverClassName but it was never > > called. In my servlet, however, I can retrieve the certificates. > > That's consistent with your configuration IMO. > > You will have to tell your application to use CLIENT-CERT authentication > if you want Tomcat to parse that cert chain for you, populate the user > principal, etc. > > -chris > > > On Sun, 29 Jan 2023 at 22:21, Christopher Schultz > > <ch...@christopherschultz.net> wrote: > >> > >> Dave, > >> > >> On 1/28/23 09:28, Dave Breeze wrote: > >>> this is Tomcat 9.0 running embedded > >>> > >>> I am trying to authorize access by client certificate. I want the > >>> servlet response to be tailored to the user's role. In other words I > >>> am not looking to deny access by role. > >>> > >>> The connector has sslCon.setProperty("clientAuth", "required"); > >>> The context has a config file set > serverAppContext.setConfigFile(contextURL); > >>> The config file contains > >>> > >>> <?xml version="1.0" encoding="UTF-8"?> > >>> <Context> > >>> <Realm className="org.apache.catalina.realm.MemoryRealm" > >>> debug="9" > >>> pathname="/var/CartS3Server/cartapp/users.xml"/> > >>> </Context> > >>> > >>> users.xml contains > >>> > >>> <?xml version='1.0' encoding='utf-8'?> > >>> <tomcat-users> > >>> <role rolename="cart-admin"/> > >>> <role rolename="cart-user"/> > >>> <user username="CN=TTSDB1,OU=CART,O=CART" password="" > roles="cart-user"/> > >>> <user username="CN=TTSDB2,OU=CART,O=CART" password="" > roles="cart-admin"/> > >>> </tomcat-users> > >>> > >>> > >>> Certificates are imported into the browser and the browser prompts for > >>> cert selection. > >>> > >>> There are no security constraints on the apps web.xml. > >>> > >>> In the servlet there is a test of httpReq.isUserInRole("cart-admin"). > >>> This always fails. Also a req.getUserPrincipal() call always returns > >>> null. The request does not seem to be authenticated. > >> > > >>> Further in the servlet a X509Certificate[] certs = (X509Certificate[]) > >>> req.getAttribute("javax.servlet.request.X509Certificate") correctly > >>> returns both the certificate from the browser plus the Cert Auth. A > >>> getSubjectX500Principal().getName() call on the browser certificate > >>> returns the cn/o/ou setting that should match with users.xml. > >>> > >>> What am I missing here? > >> > >> If the application does not request authentication, Tomcat will not > >> perform if on behalf of the application. If you want a Principal and to > >> be able to check roles, etc. then you'll need to request CLIENT-CERT > >> authentication in web.xml (or the embedded equivalent). > >> > >> -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
