Discussion:
Tomcat and client certificates
Tom Bednarz
2006-01-31 14:33:58 UTC
Permalink
Is it possible to run on the same container (instance of Tomcat) web
application that DO require certificates and other applications that do
NOT require certificates?

To define required client certificate authorization one needs to define
in SERVER.XML

<Connector className=............ port="8443"....... scheme="https"......
<Factory className
="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="true" protocol="TLS"
keystoreFile="MyPath/MyKeystoreFile ...../>
</Connector>

The thing is, I have at a customer site a web-application that serves a
mixed PKI environment. This means, that some users use chip-cards and a
Single Sign On solution to authenticate. But there is also a quite big
population of users who still use a standard username/password
authentication over an SSL connection. So for both cases I need SSL.

Is there any way of defining this on an application level, which would
mean the definition should go into web.xml instead of server.xml. I then
could make two web applications, one defined for users with a
Certificate and one for users without. If that is not possible, I need
two servers, each running an instance of Tomcat with different
server.xml settings.

Any suggestions would be greatly apreciated.

Tom
Caldarale, Charles R
2006-01-31 15:46:04 UTC
Permalink
Subject: Tomcat and client certificates
If that is not possible, I need two servers, each running
an instance of Tomcat with different server.xml settings.
I haven't tried it, but I would think all you need is two sets of
<Connector> tags, not two complete installations. You'd have to
differentiate between them by IP address or port numbers, of course.

- Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
Mark Thomas
2006-01-31 19:30:15 UTC
Permalink
Post by Tom Bednarz
Is it possible to run on the same container (instance of Tomcat) web
application that DO require certificates and other applications that do
NOT require certificates?
Just specify
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>

in web.xml. Assuming of course that you have a security constraint
that applies to the whole web application.

Mark
Markus
2006-02-01 14:22:03 UTC
Permalink
Setting clientAuth to true / false in the Connector configuration
works fine, but how do I configure client authenticaton on a
per-directory or even per-servlet basis?

This is my current configuration:

In server.xml:
<Connector port="8443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="\...\keystore.jks" keystorePass="wonttell"
truststoreFile="\...\truststore.jks" truststorePass="wonttell"
/>

In web.xml:
<security-constraint>
<web-resource-collection>
<url-pattern>/html/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
<user-data-constraint/>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>

And here are the results I get:

https://domain/anypage : OK
https://domain/html/anypage : HTTP Status 403 - Access to the
requested resource has been denied

The logfile says:

01.02.2006 15:19:57 org.apache.coyote.http11.Http11Processor action
WARNING: Exception getting SSL Cert
java.net.SocketException: Socket Closed

What's wrong with my configuration?

Markus
Mark Thomas
2006-02-01 20:09:25 UTC
Permalink
Post by Markus
Setting clientAuth to true / false in the Connector configuration
works fine, but how do I configure client authenticaton on a
per-directory or even per-servlet basis?
<snip/>
Post by Markus
https://domain/anypage : OK
https://domain/html/anypage : HTTP Status 403 - Access to the
requested resource has been denied
Have you added the user's certificate to your realm?

Mark
Markus
2006-02-02 10:35:11 UTC
Permalink
Ok, when I set clientAuth to "want" the "Exception getting SSL Cert"
goes away. (Wtf is this documented?). But I still get the 403 - Access
denied error.

Here is how I added the users certificate to my realm:

web.xml:

<security-constraint>
<web-resource-collection>
<url-pattern>/html/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>myrole</role-name>>
</auth-constraint>
<user-data-constraint/>
</security-constraint>

<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>

<security-role>
<role-name>myrole</role-name>
</security-role>

tomcat-users.xml:

<tomcat-users>
<role rolename="myrole"/>
<user username="EMAILADDRESS=mark... , CN=markus...., OU=..., O=...
, L=...., ST=... C=..." password="" roles="myrole"/>
</tomcat-users>

As username I used exactly the cert.getSubjectDN().getName() String
from the client certificate.

Is this ok?
Mark Thomas
2006-02-02 19:15:30 UTC
Permalink
Post by Markus
Ok, when I set clientAuth to "want" the "Exception getting SSL Cert"
goes away. (Wtf is this documented?). But I still get the 403 - Access
denied error.
If you specify a user-data-constraint, you don't need to specify
clientAuth in the connector.
Post by Markus
As username I used exactly the cert.getSubjectDN().getName() String
from the client certificate.
Is this ok?
Should be fine. This thread might help too:
http://marc.theaimsgroup.com/?l=tomcat-user&m=107963922404774&w=2

Do you get prompted by your browser for a certificate?

Mark
David Delbecq
2006-02-03 09:19:31 UTC
Permalink
Post by Markus
Ok, when I set clientAuth to "want" the "Exception getting SSL Cert"
goes away. (Wtf is this documented?).
Yes it is documented:
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
Section 'Edit the Tomcat Configuration File'
Post by Markus
But I still get the 403 - Access
denied error.
This mean client didn't send a certificate or certificate was not recognized
Post by Markus
<security-constraint>
<web-resource-collection>
<url-pattern>/html/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>myrole</role-name>>
</auth-constraint>
<user-data-constraint/>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<role-name>myrole</role-name>
</security-role>
<tomcat-users>
<role rolename="myrole"/>
<user username="EMAILADDRESS=mark... , CN=markus...., OU=..., O=...
, L=...., ST=... C=..." password="" roles="myrole"/>
</tomcat-users>
As username I used exactly the cert.getSubjectDN().getName() String
from the client certificate.
Is this ok?
Did you escape the quote character of subject line using &quot; ?
Post by Markus
---------------------------------------------------------------------
Markus
2006-02-06 11:52:35 UTC
Permalink
Mark:
Thank you for your link to the archive. It was my fault using the
UserDatabase realm
instead of the MemoryRealm. I'm, using tomcat 5.0.28 - is it still the
case in 5.5.x
that you MUST use the MemoryRealm for clientcert authentication?

Anyway, there is still an issue when trying to access a restricted url
without the proper
certificate:

1) When there is the RIGHT client certificate in the browser keystore:
it works :-)

2) When there is the WRONG client certificate I get:

HTTP Status 401 - Cannot authenticate with the provided credentials
(this is ok, too)

3) When there is NO client certificate I get:

HTTP Status 400 - No client certificate chain in this request

400 usually stands for a bad request or bad syntax. I believe in this case 401
should be the appropriate reply.

Is there any way to adjust the HTTP Status code for failed client-cert
authentication?
Mark Thomas
2006-02-06 17:55:14 UTC
Permalink
Post by Markus
Thank you for your link to the archive. It was my fault using the
UserDatabase realm
instead of the MemoryRealm. I'm, using tomcat 5.0.28 - is it still the
case in 5.5.x
that you MUST use the MemoryRealm for clientcert authentication?
All realms should work with CLIENT-CERT. If they don't file a bug
report and I'll look into it.
Post by Markus
HTTP Status 400 - No client certificate chain in this request
400 usually stands for a bad request or bad syntax. I believe in this case 401
should be the appropriate reply.
Hmm. I guess this could be debatable.
Post by Markus
Is there any way to adjust the HTTP Status code for failed client-cert
authentication?
No configuration option. I suspect it would require code changes.

Mark
Markus
2006-02-07 16:09:03 UTC
Permalink
Ok, I just submitted the bugs #38553 and #38555 for both issues. If
you need more information, please let me know via bugzilla.
Mark Thomas
2006-02-07 18:50:17 UTC
Permalink
Post by Markus
Ok, I just submitted the bugs #38553 and #38555 for both issues. If
you need more information, please let me know via bugzilla.
5.5.x CLIENT-CERT shoudl work with all realms. 5.0.x - don't hold your
breath.

Mark

Duan, Nick
2006-02-01 15:25:31 UTC
Permalink
The clientAuth attribute of the connector has to be set to true. Then
you will need a client cert to access resources under /html/*, but not
other pages. See the Tomcat SSL guide on how to create the client cert.

ND

-----Original Message-----
From: Markus [mailto:***@googlemail.com]
Sent: Wednesday, February 01, 2006 9:22 AM
To: Tomcat Users List
Subject: Re: Tomcat and client certificates

Setting clientAuth to true / false in the Connector configuration
works fine, but how do I configure client authenticaton on a
per-directory or even per-servlet basis?

This is my current configuration:

In server.xml:
<Connector port="8443"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="\...\keystore.jks" keystorePass="wonttell"
truststoreFile="\...\truststore.jks"
truststorePass="wonttell"
/>

In web.xml:
<security-constraint>
<web-resource-collection>
<url-pattern>/html/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
<user-data-constraint/>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>

And here are the results I get:

https://domain/anypage : OK
https://domain/html/anypage : HTTP Status 403 - Access to the
requested resource has been denied

The logfile says:

01.02.2006 15:19:57 org.apache.coyote.http11.Http11Processor action
WARNING: Exception getting SSL Cert
java.net.SocketException: Socket Closed

What's wrong with my configuration?

Markus

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Markus
2006-02-01 16:55:39 UTC
Permalink
Creating client certs is no problem, I already had client
authentication working on the Connector-Level.

Nick:
In other words: it is NOT possible in tomcat to have a webapp with
BOTH, a private part with ssl AND client authentication and a public
part with ssl but WITHOUT client authentication?

That would be sad.


Markus
David Delbecq
2006-02-01 18:44:49 UTC
Permalink
Hi
Yes, it is possible. From connector configuration doc:
clientAuth:
Set this value to true if you want Tomcat to require all SSL clients to
present a client Certificate in order to use this socket.
Set this value to want if you want Tomcat to request a client Certificate,
but not fail if one isn't presented.

So in your configuration, change clientAuth="false" to clientAuth="want" and
connector will accept connection be there a certificate or not. But don't
forget
        <login-config>
                <auth-method>CLIENT-CERT</auth-method>
        </login-config>
means access to /html/* will be refused to users not presenting a certificate.
(They can still access other webapps in tomcat if those have a login-config
not based on certificate and they can also browse in ssl the non restricted
area of client-cert based webapp)
for sensitive areas, you might also be interrested in adding, in particular
for basic authentification based webapps
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Post by Markus
Creating client certs is no problem, I already had client
authentication working on the Connector-Level.
In other words: it is NOT possible in tomcat to have a webapp with
BOTH, a private part with ssl AND client authentication and a public
part with ssl but WITHOUT client authentication?
That would be sad.
Markus
---------------------------------------------------------------------
--
David Delbecq
Royal Meteorological Institute of Belgium
Continue reading on narkive:
Loading...