-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Juls,
On 9/3/15 9:41 AM, juls wrote: > I need to restrict users to access different resources based on > attributes of their client certificate. > > I found this tutorial which describes the basic idea: > http://krishnasblog.com/2012/12/01/enabling-client-cert-based-authoriz ation-on-tomcat/ > > Apart from not beeing able the get it working as described in the > tutorial my question is whether it is possible to use different > attributes than just the subject DN. I am thinking of certificate > serial number and/or authority key identifier/subject key > identifier. While the SubjectDN is the default "username" obtained from the certificate, you can use something else instead. Take a look a the <Realm> configuration guide and especially at the "X509UsernameRetrieverClassName" attribute for that configuration. http://tomcat.apache.org/tomcat-8.0-doc/config/realm.html You can write a class that uses whatever field (or mixture of fields) you want to identify the user. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV6L9TAAoJEBzwKT+lPKRYPsoP/iAT/1gLy64gZzfsFCt1fNP0 hAtArWqJCAUiyIz6V/DrZSI2Okh501777Kx/kbZWBH1Sg9qb6hrfjSU7NLYeky0+ rmKlO0voAXlFwL7un7OWp4VebSw1gLxS6Qz966KodnOcDuMKfFwSD7WcZ6BOsyop W1T/9pO9JBHy3G9/VB+Qgx61Ufr++ZEA5g3MhygPczivopU8JriL7WRa8SH0qvQX mAVIBwGmcgNuATXlKFW5wycf1gjV9NbOr6wF5r342x8JL12Afz+UX12nVo7rFyfN hJyYzlZp/6KUJKuMVQFx5FrGnpJr5JhKlXeK4CpRT2nf8e1baHrc3f6oxAJHN4QF QJKNckA7Qucv7NybGzFXtIYD6JoCjE+JqokEvxaE0q4w9OwpJq++yr0Ypa6R0eFm +wrdx6HhCPNaiA7GsYTrFtUrLGA1fDmjAZhqvEImtUHpngR+3ZsUOhr/WKzxESLP fXFrF76s2tbzfO5u0JglW91xYm2EyKO7+2MCZocJBhtu7eCdnpigh+rHcKSeVSG1 +2YeHG0/ahRfJgeb/fTwcFH9FeiYnhIMhqYtUmrNtA0ck2nZy2O65ZresB3orMg1 tD2cUsR1R9P9iu8RGfrgDsOGk1/pwTzPCwgTkEoJxMkDxGMybLdn6W8aat8Kmxt4 /63mA5DBXX8xfCKZ/X2K =hCnD -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org