request client certificate authentication only to some particular resource

StackOverflow https://stackoverflow.com/questions/21734661

Domanda

I am deploying a webapp on Tomcat, which should eventually become a platform offering several services. Sometimes I need to be able to authenticate the user with client certificates, but only when she visits some servlet/url , in order to validate the certificate and read some attributes.

I came to the conclusion that with Tomcat and jsp/servlets alone, it is not possible to make only a part of the web app to request client certificate authentication. It is either the whole tomcat server that requests user certificates everytime everywhere (clientAuth true or want), or web.xml authorization settings that are not useful for this scenario.

Is there a framework, application server, or some particular proven architecture I can use to achieve this requeriment? I thought of maybe having a separate server instance dedicated to mutual ssl authentication, redirecting the user and forwarding session parameters, but this option seems rather complex to manage. I bet there are similar solutions, just wondering if there is some reference implementation, guidelines, whatever... Thanks.

È stato utile?

Soluzione 2

You can't do this with Tomcat alone. Client authentication is per webapp at best, or you can set it for the whole container in the server.xml Connector element, whatever use that is.

If you need this per resource you can get it by using Apache HTTPD in front and having it terminate SSL. (It will still pass the client certificate in a header to Tomcat so that Tomcat can obey the Servlet specification about making it available to webapps.) You can then configure practically everything about SSL right down to the level of individual files. This also gives you all kinds of other goodies like load balancing.

Altri suggerimenti

I've done this in the past directly with Tomcat, using client-certificate re-negotiation. The configuration may have changed slightly with newer version of Tomcat, but here is the idea:

  • Configure your connector for client authentication: set its trust store parameters, but use clientAuth="false". This is documented in the Tomcat documentation:

    Set to true if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to want if you want the SSL stack to request a client Certificate, but not fail if one isn't presented. A false value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication.

  • In your web.xml file, use something like this:

    <web-app>
    <display-name>My Webapp</display-name>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>App</web-resource-name>
            <url-pattern>/</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>cert</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <login-config>
        <auth-method>CLIENT-CERT</auth-method>
    </login-config>

    <security-role>
        <role-name>cert</role-name>
    </security-role>
</web-app>

    Of course, adapt web-resource-collection with the URL pattern you need.

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top