Hello Dave, > -----Ursprüngliche Nachricht----- > Von: Dave Breeze <dave.bre...@gmail.com> > Gesendet: Mittwoch, 1. Februar 2023 12:17 > An: Tomcat Users List <users@tomcat.apache.org> > Betreff: Re: Tomcat client certicate authentication > > Chris > thanks for your mail > Apologies for confusion. Yes I am requesting certificates > - sslCon.setProperty("clientAuth", "required") and a user can only connect by > supplying a valid certificate. > > I removed constraints from the web.xml as I did not want access to a servlet > restricted to a role - I need the servlet to respond differently based on > role. > what I have decided to do in the servlet is to retrieve the user-id from the > certificate and determine their role by using a security product native to the > platform on which Tomcat is running > > Thanks for your help. > > Dave Breeze > Linkedin:https://uk.linkedin.com/in/dabreeze >
I think you need constraints in your web.xml. Otherwise Tomcat won't ask for authentication. Something like: <security-constraint> <web-resource-collection> <web-resource-name>protected area</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>my-role</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <security-role> <role-name>my-role</role-name> </security-role> Otherwise the user is treated as an anonymous user without any identity. Greetings, Thomas > > On Mon, 30 Jan 2023 at 15:41, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > > Dave, > > > > On 1/30/23 04:21, Dave Breeze wrote: > > > Thanks Chris > > > the application is requesting certificate authentication - and this > > > is working - it is just the mapping of users to roles that is not > > > happening > > > > No, the server is requesting the certificate information; the > > application is not. From your original posting: > > > > > > On 1/28/23 09:28, Dave Breeze wrote: > > > There are no security constraints on the apps web.xml. > > > > With no security constraints, the application is not requesting > > authentication. Tomcat therefore does not provide any "authentication > > information" to the application. If the client sends a certificate > > (which is happening at the request of the /server/), then Tomcat will > > forward that certificate information to the application. But it will > > not use it for any kind of authentication or authorization. > > > > > I implemented an org.apache.catalina.realm.X509UsernameRetriever > and > > > configured using X509UsernameRetrieverClassName but it was never > > > called. In my servlet, however, I can retrieve the certificates. > > > > That's consistent with your configuration IMO. > > > > You will have to tell your application to use CLIENT-CERT > > authentication if you want Tomcat to parse that cert chain for you, > > populate the user principal, etc. > > > > -chris > > > > > On Sun, 29 Jan 2023 at 22:21, Christopher Schultz > > > <ch...@christopherschultz.net> wrote: > > >> > > >> Dave, > > >> > > >> On 1/28/23 09:28, Dave Breeze wrote: > > >>> this is Tomcat 9.0 running embedded > > >>> > > >>> I am trying to authorize access by client certificate. I want the > > >>> servlet response to be tailored to the user's role. In other words > > >>> I am not looking to deny access by role. > > >>> > > >>> The connector has sslCon.setProperty("clientAuth", "required"); > > >>> The context has a config file set > > serverAppContext.setConfigFile(contextURL); > > >>> The config file contains > > >>> > > >>> <?xml version="1.0" encoding="UTF-8"?> <Context> > > >>> <Realm className="org.apache.catalina.realm.MemoryRealm" > > >>> debug="9" > > >>> pathname="/var/CartS3Server/cartapp/users.xml"/> > > >>> </Context> > > >>> > > >>> users.xml contains > > >>> > > >>> <?xml version='1.0' encoding='utf-8'?> <tomcat-users> > > >>> <role rolename="cart-admin"/> > > >>> <role rolename="cart-user"/> > > >>> <user username="CN=TTSDB1,OU=CART,O=CART" password="" > > roles="cart-user"/> > > >>> <user username="CN=TTSDB2,OU=CART,O=CART" password="" > > roles="cart-admin"/> > > >>> </tomcat-users> > > >>> > > >>> > > >>> Certificates are imported into the browser and the browser prompts > > >>> for cert selection. > > >>> > > >>> There are no security constraints on the apps web.xml. > > >>> > > >>> In the servlet there is a test of httpReq.isUserInRole("cart-admin"). > > >>> This always fails. Also a req.getUserPrincipal() call always > > >>> returns null. The request does not seem to be authenticated. > > >> > > > >>> Further in the servlet a X509Certificate[] certs = > > >>> (X509Certificate[]) > > >>> req.getAttribute("javax.servlet.request.X509Certificate") > > >>> correctly returns both the certificate from the browser plus the > > >>> Cert Auth. A > > >>> getSubjectX500Principal().getName() call on the browser > > >>> certificate returns the cn/o/ou setting that should match with > users.xml. > > >>> > > >>> What am I missing here? > > >> > > >> If the application does not request authentication, Tomcat will not > > >> perform if on behalf of the application. If you want a Principal > > >> and to be able to check roles, etc. then you'll need to request > > >> CLIENT-CERT authentication in web.xml (or the embedded equivalent). > > >> > > >> -chris > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > >