|
The first prerequisite is tomcat running over SSL channel. Or you will get
Another prerequisite is to set the SSL port of Tomcat as mutual authentication. That way the UA will present your certificate to the server. You will get this if no client certificate is provided.
The third prerequisite is the client must trust the server‘s certificate and vice verse. Firefox will raise this alter window if your certificate is not trusted by the server.
The web.xml of web app is, <servlet-mapping> <servlet-name>ProtectedServlet</servlet-name> <url-pattern>/ProtectedByClientCert</url-pattern> </servlet-mapping>
<security-role> <role-name>members</role-name> </security-role>
<security-constraint> <web-resource-collection> <web-resource-name>Resource protected by client cert</web-resource-name> <url-pattern>/ProtectedByClientCert</url-pattern> </web-resource-collection> <auth-constraint> <role-name>members</role-name> </auth-constraint> </security-constraint>
<login-config> <auth-method>CLIENT-CERT</auth-method> <realm-name>Client Cert Users-only Area</realm-name> </login-config>
Please pay attention to the <auth-constraint>. It constraints the allowed users to the role of members. So you also need to add user names into tomcat-users.xml. But what‘s the user name? In other authentication methods, users are given the chance to input their name when accessing the protected resources. In CLLENT-CERT method, there is no chance to let uses do that. Certificate is the only credential user presents. So you should use information contained in certificate as user name. Solely using value of CN field won‘t work. Imagine a situation that there are two Johns belong to different organization unit. How tomcat distinguishes these two guys by the CN ? So the correct value you set in tomcat-users.xml is the DN of the user. Below is an example file. <?xml version=‘1.0‘ encoding=‘utf-8‘?> <tomcat-users> <role rolename="tomcat"/> <role rolename="members"/> <role rolename="role1"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="role1" password="tomcat" roles="role1"/> <user username="both" password="tomcat" roles="tomcat,role1,members"/> <user username="CN=clientbrowser, OU=scn1266, O=scn1266, L=sh, ST=sh, C=cn" password="" roles="members"/> </tomcat-users> Remember, only put "clientbrowser" in the username field won‘t work!!
The connector configuration for this example is, <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" keystoreFile="/root/tomcat.keystore.jks" keystorePass="changeit" debug="9" />
One question: If the client owns more than one certificates how the UA sends the server the proper certificate ? A quick guessing is the UA may send all certificates that the client owns to the server to let the server choose one among them.
|
|
|
