Re: Authenticate with X509 certification

Mon, 09 Jun 2008 02:00:10 -0700 

Ok,
you know, that you have to use ssl/tsl or some challenge-response protocol to ensure that the owner of the certificate also owns the corresponding private key? So the best way might be to use ssl with client auth and an all trusting trustmanager which accepts every certificate but checks for knowledge of the private key. This also forces the client to send a certificate. 

andreas

Luis Pascual Forner schrieb:

No, because I want that the certificate was
required ONLY when I acces to some pages.
In fact, this is how now works, but sometimes
the method getAttribute("javax.servlet.request.X509Certificate")
returns null.

Finally, I store the certificate in the session, and get it
from there when I need it.

thanks,

  Luis

ahuelsing escribió:

Hi,

you have to set clientAuth="true"

andreas

Luis Pascual Forner schrieb:

Thanks, Bill,
I use the JIO connector.
That's my server.xml:

<?xml version="1.0" encoding="UTF-8"?>
<Server port="8006" shutdown="SHUTDOWN">


  <Listener 
className="org.apache.catalina.core.AprLifecycleListener" />
  <Listener 
className="org.apache.catalina.mbeans.ServerLifecycleListener" />
  <Listener 
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" 
/>
  <Listener 
className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> 



  <GlobalNamingResources>


    <Environment name="simpleValue" type="java.lang.Integer" 
value="30"/>


    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
       description="User database that can be updated and saved"

           
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"

          pathname="conf/tomcat-users.xml" />

  </GlobalNamingResources>

  <Service name="Catalina">

    <Connector port="8081" maxHttpHeaderSize="8192"

               maxThreads="150" minSpareThreads="25" 
maxSpareThreads="75"
               enableLookups="false" redirectPort="8443" 
acceptCount="100"

               connectionTimeout="20000" disableUploadTimeout="true" />

    <Connector acceptCount="100" clientAuth="false" 
disableUploadTimeout="true" keystoreFile="/XXXXXXXXX/xxxxx.p12" 
keystorePass="XXXXXX" keystoreType="PKCS12" port="8443" 
scheme="https" secure="true" sslProtocol="TLS" 
truststoreFile="/XXXXXXXXXXXXXXX/trustcacerts" 
truststorePass="XXXXXXX" truststoreType="JKS"/>


    <Connector port="8010"

               enableLookups="false" redirectPort="8443" 
protocol="AJP/1.3" />


    <Engine name="Catalina" defaultHost="localhost">


      <Realm className="com.ival.tomcat.X509Realm" debug="0" />

      <Host name="localhost" appBase="webapps"
       unpackWARs="true" autoDeploy="true"
       xmlValidation="false" xmlNamespaceAware="false">

      <Context docBase="cavi" path="/cavi" reloadable="true" />

      <Context docBase="x509" path="/x509" reloadable="true" 
allowLinking="true" />


      </Host>

    </Engine>

  </Service>

</Server>



Bill Barker escribió:

"Luis Pascual Forner" <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]

Hi,

  I need autheticate ONLY with client certificate (i.e., I don't want
to check any user's database) . I did that follow:

  1. I write a "X509Realm", with a method "authenticate" that
     only check the validity of each certificate in the
     certification's chain (don't check if the user exists in
     any database).
  2. Declare this new class in
     "org/apache/catalina/realm/mbeans-descriptors.xml" and
     "rg/apache/catalina/mbeans/mbeans-descriptors.xml".
  3. Edit "server.xml" and configure the realm.
  4. Edit "web.xml" to set the auth-method to "CLIENT-CERT"
  5. Put "X509Realm.class" and "mbeans-descriptors.xml" in
     "server/classes", with the correct path.
  6. Restart Tomcat.

  Now, I can authenticate with X509 certificate, and get the
client certificate with
getAttribute("javax.servlet.request.X509Certificate"). But,
sometimes, this method returns null. Why?




Almost certainly means that the client didn't send a cert.  But 
more info on your setup would get a better response.  For example 
are you using the APR or the JIO Connector?



regards

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]







---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to