发表新帖
发表新帖

Using CLIENT-CERT for Tomcat without specifying a username

前端 未结
关注
2 639
面向向阳花
面向向阳花 2021-01-02 02:58

I am trying to make a Tomcat web application use client certificate authentication for incoming connections. Everything works fine when using clientAuth=true in server.xml,

2条回答
  • 离开以前
    离开以前 (楼主)
    2021-01-02 03:34

    I was just reseaching solution to above problem and finally found a solution:

    1. Configure tomcat with connector clientAuth="false" attribute(Otherwise all secure connections to server will do mutual, client server, ssl authentification.

    2. Add the following in web.xml(I have just shown here example) 

      
    
        /LoginTestServlet1
        GET
        POST
    
    
        manager
    
    
        
        CONFIDENTIAL
    

 
    
        /LoginTestServlet2
        GET
        POST
    
    
        manager
    
   

 
    CLIENT-CERT
    certificate

      manager

    3. In tomcat users-users.xml add the following(pls note that if trust store has almost identical certificates then you should clearly identify your certificate as follows)

      < user username="EMAILADDRESS=hamzas100@yahoo.com, CN=KS, OU=OFF, O=OFS, L=Bukhara,
      ST=Bukhara, C=UZ" password="" roles="manager"/>

    4. put in a browser(or curl) address line:

      https://yourdomain.com:8443/LoginTest/LoginTestServlet1 or
      https://yourdomain.com:8443/LoginTest/LoginTestServlet2

    5. For this to work you have to add certificate to browser personal certificate list(if you are testing with browser). I have tried with Mozilla Firefox and it will easyly let you do this.(But it only accepts b12 certificate so it is suggested that you should use openssl with java keytool). If everything configured right then you will get prompt from mozilla to choose certificate from existing ones. If you are using curl(it is used for automatic web interfaces testing then use the following commant line to test(I have just given an example here.) Plese note that you should choose certificate which you imported into trust store.

      curl -s -k --cert selfsigned.pem --key key.pem -v --anyauth https://yourdomain.com:8443/LoginTest/LoginTestServlet1 --cacert selfsigned.pem or curl -s -k --cert selfsigned.pem --key key.pem -v --anyauth http://yourdomain.com:8080/LoginTest/LoginTestServlet2 --cacert selfsigned.pem

    Note: My connector looks like as follows:

    0 讨论(0)
 看不清?
提交回复
热议问题