The first prerequisite is tomcat running over SSL channel. Oryou will get
Another prerequisite is to set the SSL port of Tomcat asmutual authentication. That way the UA will present your certificate to theserver.
You will get this if no client certificate is provided.
The third prerequisite is the client must trust the server‘scertificate and vice verse. Firefox will raise this alter window if yourcertificate is not trusted by the server.
The web.xml of web app is,
<servlet-mapping>
<servlet-name>ProtectedServlet</servlet-name>
<url-pattern>/ProtectedByClientCert</url-pattern>
</servlet-mapping>
<security-role>
<role-name>members</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Resource protected by clientcert</web-resource-name>
<url-pattern>/ProtectedByClientCert</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>members</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-onlyArea</realm-name>
</login-config>
Please pay attention to the <auth-constraint>. Itconstraints the allowed users to the role of members. So you also need to adduser names into tomcat-users.xml. But what‘s the user name? In otherauthentication methods, users are given the chance to input their name whenaccessing the protected resources. In CLLENT-CERT method, there is no chance tolet uses do that. Certificate is the only credential user presents. So youshould use information contained in certificate as user name. Solely usingvalue of CN field won‘t work. Imagine a situation that there are two Johnsbelong to different organization unit. How tomcat distinguishes these two guysby the CN ? So the correct value you set in tomcat-users.xml is the DN of theuser. Below is an example file.
<?xml version=‘1.0‘ encoding=‘utf-8‘?>
<tomcat-users>
<role rolename="tomcat"/>
<role rolename="members"/>
<role rolename="role1"/>
<user username="tomcat"password="tomcat" roles="tomcat"/>
<user username="role1"password="tomcat" roles="role1"/>
<user username="both"password="tomcat" roles="tomcat,role1,members"/>
<user username="CN=clientbrowser, OU=scn1266,O=scn1266, L=sh, ST=sh, C=cn" password=""roles="members"/>
</tomcat-users>
Remember, only put "clientbrowser" in the usernamefield won‘t work!!
The connector configuration for this example is,
<Connector port="8443"maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"maxSpareThreads="75"
enableLookups="false"disableUploadTimeout="true"
acceptCount="100" scheme="https"secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="/root/tomcat.keystore.jks"keystorePass="changeit"
debug="9"
/>
Onequestion:
If the client owns more than one certificates how the UAsends the server the proper certificate ?
A quick guessing is the UA may send all certificates that theclient owns to the server to let the server choose one among them.
聯(lián)系客服
