The important files are: server.xml: <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="100" debug="0" scheme="https" secure="true" useURIValidationHack="false" disableUploadTimeout="true"> <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" keystoreFile="conf/.keystore" clientAuth="false" protocol="TLS" /> </Connector> ... <Realm className="org.apache.catalina.realm.MemoryRealm" />
tomcat-users.xml: <user username="CN=Mark Thomas, OU=WWW, O=XXX, L=YYY, ST=ZZZ, C=GB" password="null" roles="tomcat,certs"/> web.xml: <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd"> <web-app> <display-name>Bug 12218</display-name> <description> Test web app for bug 12218. </description> <security-constraint> <web-resource-collection> <web-resource-name>App</web-resource-name> <url-pattern>/protected.jsp</url-pattern> </web-resource-collection> <auth-constraint> <role-name>tomcat</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> <security-role> <role-name>tomcat</role-name> </security-role> </web-app> The steps I tend to follow when setting this sort of thing up are: 1. Build simple two page web app. 2. Configure one page to require basic authentication 3. Test basic auth - checks tomcat-users.xml and realm set up correctly 4. Configure SSL 5. Test http://localhost:8443/ - checks SSL set up 6. Test app with SSL - not really necessary but best to double check 7. Reconfigure app to use CLIENT-CERT > -----Original Message----- > From: Idoia Murua Belacortu [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 18, 2004 8:01 AM > To: Tomcat Users List > Subject: RE: tomcat certificate > > > Could you send us a sample of that "web.xml" file? > I am also using client certificates over SSL with Tomcat, > but as I could > not find much information about it in Tomcat I configured it > with Apache. > > Idoia > > > > > > "Mark Thomas" > > > <[EMAIL PROTECTED] Para: > "'Tomcat Users List'" <[EMAIL PROTECTED]> > > > cc: > > > Asunto: RE: > tomcat certificate > > 17/03/04 21:22 > > > Por favor, > > > responda a > > > "Tomcat Users > > > List" > > > > > > > > > > > > This is not correct. Tomcat does support CLIENT-CERT authentication > 'out-of-the-box'. When combined with appropriate > authorisation constraints > in > web.xml you can limit access to specific URLs. > > I have this working quite happily. > > Mark > > > -----Original Message----- > > From: Rommel Sharma [mailto:[EMAIL PROTECTED] > > Sent: Monday, February 23, 2004 11:28 AM > > To: Tomcat Users List > > Subject: Re: tomcat certificate > > > > Tomcat as such on its own does not parse and validate a certificate. > > I don't think its possible. You can identify a client through the > > certificate alias the client uses. > > Access to specific URLs depends on the server certificate > > where you specify > > the URL and send the client your public key. > > I think there is no automatic mechanism in Tomcat that studies the > > certificate and allows access to specific URLs. This needs to > > be implemented > > by any our deployed programs. > > > > ----- Original Message ----- > > From: "secam secam" <[EMAIL PROTECTED]> > > To: "Tomcat Users List" <[EMAIL PROTECTED]> > > Sent: Monday, February 23, 2004 4:17 PM > > Subject: Re: tomcat certificate > > > > > Thanks, > > > > > > Here is my real problem, > > > > > > I've got an external server that authentificate user and deliver a > > certicate with the trio User/Group/Role. > > > > > > In fact, i just want that the certificate give information > > of the user to > > tomcat in order to permit the access to some specifics url. > > > > > > Is it possible? > > > > > > Regard's > > > > > > Secam > > > > > > Rommel Sharma <[EMAIL PROTECTED]> wrote: > > > If you mean two way authentication using SSL, then you have > > to write the > > > code that reads clients certificate and matches it with one > > present in > > > client keystore on the server. You enable client authentication in > > > server.xml for this and specify the serverkeystore and > > password in it. > > > Regards, > > > Rommel Sharma. > > > > > > ----- Original Message ----- > > > From: "secam secam" > > > To: > > > Sent: Monday, February 23, 2004 3:30 PM > > > Subject: tomcat certificate > > > > > > > hello, > > > > > > > > I'm a new user of tomcat. > > > > Can tomcat authenticate a user with a certifcate ? > > > > > > > > Thanks, > > > > Secam > > > > > > > > > > > > --------------------------------- > > > > Yahoo! Mail : votre e-mail personnel et gratuit qui vous > > suit partout ! > > > > Créez votre Yahoo! Mail > > > > > > ********************************************************* > > > Disclaimer > > > > > > This message (including any attachments) contains > > > confidential information intended for a specific > > > individual and purpose, and is protected by law. > > > If you are not the intended recipient, you should > > > delete this message and are hereby notified that > > > any disclosure, copying, or distribution of this > > > message, or the taking of any action based on it, > > > is strictly prohibited. > > > > > > ********************************************************* > > > Visit us at http://www.mahindrabt.com > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: > [EMAIL PROTECTED] > > > > > > > > > --------------------------------- > > > Yahoo! Mail : votre e-mail personnel et gratuit qui vous > > suit partout ! > > > Créez votre Yahoo! Mail > > > > ********************************************************* > > Disclaimer > > > > This message (including any attachments) contains > > confidential information intended for a specific > > individual and purpose, and is protected by law. > > If you are not the intended recipient, you should > > delete this message and are hereby notified that > > any disclosure, copying, or distribution of this > > message, or the taking of any action based on it, > > is strictly prohibited. > > > > ********************************************************* > > Visit us at http://www.mahindrabt.com > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > Idoia Murua Belacortu > Dpto. de Sistemas de Información y Telecomunicaciones > Information Systems & Telecommunications Dept. > ROBOTIKER, Corporación Tecnológica TECNALIA. > Parque Tecnológico, Edificio 202. E-48170 Zamudio (Bizkaia) (SPAIN). > Tel: (34) 94 600 22 66. Fax: (34) 94 600 22 99 > [EMAIL PROTECTED], www.robotiker.com > > "Este correo electrónico contiene información privada > que puede estar > legalmente protegida, parcial o totalmente. Es sólo > para uso del > destinatario al que está dirigido. Si ha recibido este > mensaje por error, > le rogamos que lo notifique al remitente del email y que > además borre de su > sistema el mensaje así como todas sus copias, > incluyendo las posibles > copias del mismo en su disco duro, y se abstenga de > usar, revelar, > distribuir a terceros, imprimir o copiar ninguna de las > partes de este > mensaje". > "Mezu elektroniko honek informazio pribatua du, partzialki > edo osorik legez > babestuta egon daitekeena. Bidali nahi zaion > hartzaileak erabiltzeko > bakarrik da. Mezu hau hutsegite baten ondorioz jaso > baduzu, mesedez, > mezuaren igorleari jakinaraztea eta mezua eta horren > kopia guztiak > ezabatzea eskatzen dizugu, disko gogorrean izan > ditzakezunak barne. Eta, > orobat, ez erabili mezu honen zatirik, ez eta erakutsi, > beste pertsona > batzuei banatu, inprimatu edo berridatzi ere". > "This e-mail contains proprietary information some or all > of which may be > legally protected. It is for sole use of the intended > recipient only. If > you have received this message by mistake, you are requested > to notify the > e-mail sender and erase both the message and any copies > from your system, > including hard disk copies. You are further requested > to refrain from > using, distributing to third parties, printing or making > copies of any > parts of this message". > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]