Some more debugging here and I got some stuff working here.
Only one question:
It is not really clear from the documentation of "clientAuth"
"Set to true if you want the SSL stack to require a valid certificate chain
from the client before accepting a connection. Set to want if you want the SSL
stack to request a client Certificate, but not fail if one isn't presented. A
false value (which is the default) will not require a certificate chain unless
the client requests a resource protected by a security constraint that uses
CLIENT-CERT authentication. See the SSL HowTo for an example. That SSL HowTo
also contains tips on using per-user or per-session certificate-based
clientAuth."
So, if I am using a clientAuth="false" and relying on "CLIENT-CERT"
configuration, does that mean browsers won't prompt users to supply the
certificate when a protected resource is accessed?
Is it because in case of "CLIENT-CERT", the client is always expected to supply
a certificate? If yes, is there any recommended practice to configure browser
for this? Or application needs to take care of supplying one when accessing
such a protected resource?
Appreciate your inputs.
On 4/8/18, 6:44 PM, "Amit Pande" <amit.pa...@veritas.com> wrote:
I am trying to setup Tomcat (8.5.28) and the web-app correctly in order to
get the mutual authentication (using client certificates) done but only for
some recourses and not all.
For instance, I have a “authenticate” API for which I want to enable the
client certificate authentication. So, I want only a “/authenticate” URL to
ask for a client certificate from the browser.
I want to first validate if this client certificate is issued by a trusted
CA. If yes, accept the request and invoke the “/authenticate” business logic
which further validates the certificate/user against our own user database.
Looking at Tomcat documentation “clientAuth=want” in server.xml seemed a
potential option but the issue with that is when this results in asking for
user certificate for all the URLs being invoked from the Browser (unless we
tell Browser to remember the decision). Also, this approach results in
renegotiation for every request.
This is when I came across, “CLIENT-CERT” alternate, which can be
configured only for certain URL (e.g. “/authenticate” in my case). However, I
am not able to get it configured as expected. I issued a client certificate and
imported in browser but still unable to get the browser pop-up which asks for
the certificate to be sent. Debugging SSL level did not yield much.
https://stackoverflow.com/questions/41438536/protecting-webresource-in-tomcat-8-5-with-client-cert
This is the link that closely matches the requirement and I saw Chris’
input there. However,
“Realm className="org.apache.catalina.realm.UserDatabaseRealm"
allRolesMode="authOnly"
resourceName="UserDatabase" />
“
In server.xml
And
<security-constraint>
<web-resource-collection>
<web-resource-name>My Secure Area</web-resource-name>
<url-pattern>/authenticate</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
In my web app’s web.xml.
When I access the URL from browser, I expected to see a dialog asking for
client-certificate and then a successful invocation of the “/authenticate”.
However, from browser, I don’t get a pop-up and I get a HTTP 401 with below
message.
Message Cannot authenticate with the provided credentials
Description The request has not been applied because it lacks valid
authentication credentials for the target resource.
Appreciate your help on this.
Thanks,
Amit
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
