The important files are:
server.xml:
    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
               port="8443" minProcessors="5" maxProcessors="75"
               enableLookups="true"
           acceptCount="100" debug="0" scheme="https" secure="true"
               useURIValidationHack="false" disableUploadTimeout="true">
      <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
               keystoreFile="conf/.keystore"
               clientAuth="false" protocol="TLS" />
    </Connector>
...
    <Realm className="org.apache.catalina.realm.MemoryRealm" />

tomcat-users.xml:
  <user username="CN=Mark Thomas, OU=WWW, O=XXX, L=YYY, ST=ZZZ, C=GB"
password="null" roles="tomcat,certs"/>

web.xml:
<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
    "http://java.sun.com/dtd/web-app_2_3.dtd";>

<web-app>

    <display-name>Bug 12218</display-name>
    <description>
      Test web app for bug 12218.
    </description>

    <security-constraint>
        <web-resource-collection>
        <web-resource-name>App</web-resource-name>
            <url-pattern>/protected.jsp</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>tomcat</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <login-config>
      <auth-method>CLIENT-CERT</auth-method> 
    </login-config>

    <security-role>
      <role-name>tomcat</role-name>
    </security-role>

</web-app>


The steps I tend to follow when setting this sort of thing up are:
1. Build simple two page web app.
2. Configure one page to require basic authentication
3. Test basic auth - checks tomcat-users.xml and realm set up correctly
4. Configure SSL 
5. Test http://localhost:8443/ - checks SSL set up
6. Test app with SSL - not really necessary but best to double check
7. Reconfigure app to use CLIENT-CERT

> -----Original Message-----
> From: Idoia Murua Belacortu [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, March 18, 2004 8:01 AM
> To: Tomcat Users List
> Subject: RE: tomcat certificate
> 
> 
> Could you send us a sample of that "web.xml" file?
> I  am  also  using client certificates over SSL with Tomcat, 
> but as I could
> not find much information about it in Tomcat I configured it 
> with Apache.
> 
> Idoia
> 
> 
>                                                               
>                                                               
>            
>                       "Mark Thomas"                           
>                                                               
>            
>                       <[EMAIL PROTECTED]        Para:     
> "'Tomcat Users List'" <[EMAIL PROTECTED]>        
>                 
>                       >                        cc:            
>                                                               
>            
>                                                Asunto:   RE: 
> tomcat certificate                                            
>             
>                       17/03/04 21:22                          
>                                                               
>            
>                       Por favor,                              
>                                                               
>            
>                       responda a                              
>                                                               
>            
>                       "Tomcat Users                           
>                                                               
>            
>                       List"                                   
>                                                               
>            
>                                                               
>                                                               
>            
>                                                               
>                                                               
>            
> 
> 
> 
> This is not correct. Tomcat does support CLIENT-CERT authentication
> 'out-of-the-box'. When combined with appropriate 
> authorisation constraints
> in
> web.xml you can limit access to specific URLs.
> 
> I have this working quite happily.
> 
> Mark
> 
> > -----Original Message-----
> > From: Rommel Sharma [mailto:[EMAIL PROTECTED]
> > Sent: Monday, February 23, 2004 11:28 AM
> > To: Tomcat Users List
> > Subject: Re: tomcat certificate
> >
> > Tomcat as such on its own does not parse and validate a certificate.
> > I don't think its possible. You can identify a client through the
> > certificate alias the client uses.
> > Access to specific URLs depends on the server certificate
> > where you specify
> > the URL and send the client your public key.
> > I think there is no automatic mechanism in Tomcat that studies the
> > certificate and allows access to specific URLs. This needs to
> > be implemented
> > by any our deployed programs.
> >
> > ----- Original Message -----
> > From: "secam secam" <[EMAIL PROTECTED]>
> > To: "Tomcat Users List" <[EMAIL PROTECTED]>
> > Sent: Monday, February 23, 2004 4:17 PM
> > Subject: Re: tomcat certificate
> >
> > > Thanks,
> > >
> > > Here is my real problem,
> > >
> > > I've got an external server that authentificate user and deliver a
> > certicate with the trio User/Group/Role.
> > >
> > > In fact, i just want that the certificate give information
> > of the user to
> > tomcat in order to permit the access to some specifics url.
> > >
> > > Is it possible?
> > >
> > > Regard's
> > >
> > > Secam
> > >
> > > Rommel Sharma <[EMAIL PROTECTED]> wrote:
> > > If you mean two way authentication using SSL, then you have
> > to write the
> > > code that reads clients certificate and matches it with one
> > present in
> > > client keystore on the server. You enable client authentication in
> > > server.xml for this and specify the serverkeystore and
> > password in it.
> > > Regards,
> > > Rommel Sharma.
> > >
> > > ----- Original Message -----
> > > From: "secam secam"
> > > To:
> > > Sent: Monday, February 23, 2004 3:30 PM
> > > Subject: tomcat certificate
> > >
> > > > hello,
> > > >
> > > > I'm a new user of tomcat.
> > > > Can tomcat authenticate a user with a certifcate ?
> > > >
> > > > Thanks,
> > > > Secam
> > > >
> > > >
> > > > ---------------------------------
> > > > Yahoo! Mail : votre e-mail personnel et gratuit qui vous
> > suit partout !
> > > > Créez votre Yahoo! Mail
> > >
> > > *********************************************************
> > > Disclaimer
> > >
> > > This message (including any attachments) contains
> > > confidential information intended for a specific
> > > individual and purpose, and is protected by law.
> > > If you are not the intended recipient, you should
> > > delete this message and are hereby notified that
> > > any disclosure, copying, or distribution of this
> > > message, or the taking of any action based on it,
> > > is strictly prohibited.
> > >
> > > *********************************************************
> > > Visit us at http://www.mahindrabt.com
> > >
> > >
> > >
> > >
> > >
> > 
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: 
> [EMAIL PROTECTED]
> > >
> > >
> > > ---------------------------------
> > > Yahoo! Mail : votre e-mail personnel et gratuit qui vous
> > suit partout !
> > > Créez votre Yahoo! Mail
> >
> > *********************************************************
> > Disclaimer
> >
> > This message (including any attachments) contains
> > confidential information intended for a specific
> > individual and purpose, and is protected by law.
> > If you are not the intended recipient, you should
> > delete this message and are hereby notified that
> > any disclosure, copying, or distribution of this
> > message, or the taking of any action based on it,
> > is strictly prohibited.
> >
> > *********************************************************
> > Visit us at http://www.mahindrabt.com
> >
> >
> >
> >
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 
> 
> Idoia Murua Belacortu
> Dpto. de Sistemas de Información y Telecomunicaciones
> Information Systems & Telecommunications Dept.
> ROBOTIKER, Corporación Tecnológica TECNALIA.
> Parque Tecnológico, Edificio 202. E-48170 Zamudio (Bizkaia) (SPAIN).
> Tel:  (34) 94 600 22 66. Fax: (34) 94 600 22 99
> [EMAIL PROTECTED], www.robotiker.com
> 
> "Este  correo  electrónico  contiene  información  privada  
> que puede estar
> legalmente   protegida,   parcial  o  totalmente.  Es  sólo  
> para  uso  del
> destinatario  al  que está dirigido. Si ha recibido este 
> mensaje por error,
> le rogamos que lo notifique al remitente del email y que 
> además borre de su
> sistema  el  mensaje  así  como  todas  sus copias, 
> incluyendo las posibles
> copias  del  mismo  en  su  disco  duro,  y  se  abstenga de 
> usar, revelar,
> distribuir  a  terceros,  imprimir  o  copiar ninguna de las 
> partes de este
> mensaje".
> "Mezu elektroniko honek informazio pribatua du, partzialki 
> edo osorik legez
> babestuta  egon  daitekeena.  Bidali  nahi  zaion  
> hartzaileak  erabiltzeko
> bakarrik  da.  Mezu  hau  hutsegite  baten  ondorioz  jaso 
> baduzu, mesedez,
> mezuaren   igorleari  jakinaraztea  eta  mezua  eta  horren  
> kopia  guztiak
> ezabatzea  eskatzen  dizugu,  disko gogorrean izan 
> ditzakezunak barne. Eta,
> orobat,  ez  erabili  mezu  honen  zatirik, ez eta erakutsi, 
> beste pertsona
> batzuei banatu, inprimatu edo berridatzi ere".
> "This  e-mail  contains proprietary information some or all 
> of which may be
> legally  protected.  It  is for sole use of the intended 
> recipient only. If
> you  have received this message by mistake, you are requested 
> to notify the
> e-mail  sender  and erase both the message and any copies 
> from your system,
> including  hard  disk  copies.   You  are further requested 
> to refrain from
> using,  distributing  to  third  parties,  printing or making 
> copies of any
> parts of this message".
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to