Versions Compared

Old Version 7

changes.mady.by.user ASF Infrabot

Saved on

compared with

New Version Current

changes.mady.by.user ASF Infrabot

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note: Tested with Tomcat 5.5.17, 5.5.20 and 5.5.2025

See also:

SSL Client Authentication (sometimes also known as "Client Certificate" authentication) uses the SSL protocol to authenticate clients based on a X509 Certificate. Normally this is accomlished accomplished by configuring SSL in Tomcat, and then configuring the Web Application's security descriptor to use "CLIENT-CERT" as the auth-method in the login-config section.

...

In trying to implement this, we found the only "standard conformant" solution was to install the web application multiple times with different authentication configurations. This solution was very unsatisfactory for us, as it leads to a duplication of services, and the serives services are accessible under different URLs/Ports depending on the desired security level. That just wasn't what we wanted.

...

  • Tomcat Installation
  • Your Webapplication
  • Wiki MarkupThe Java Class \["SSLWithFormFallbackAuthenticator"\] (download from here)
  • Server Certificate & Private Key
  • Client Certificate & Private Key
  • Certification Authority Public Certificates
  • Working authentication realm

...

Now change your auth-method from "FROMFORM" to "CLIENT-CERT" and restart/redeploy your web-app. If you access your protected page you should now be prompted for a certificate by your browser. Select the installed certificate. If everything was configured correctly you should be authenticated based on your certificate, and taken to the protected page.

...

This is best tested with two different browsers (eg Firefox and IE): #

  1. Install the client certificate in one of the Browsers (if it isn't already)

...

  1. Fire up this browser and visit your protected page

...

  1. You should be promted for the certificate as before, select it as before

...

  1. You should be logged into the site, as before

...

  1. Now fire up the other browser, the one without the certificate

...

  1. Attempt to access your protected page

...

  1. Depending on your Browser you may be promted about the certificate - click "cancel" if this is the case

...

  1. You should be taken to the login form of your application

...

  1. Log in using the form. You should be granted access, as before

How does it work?

The code is tested with Tomcat 5.5.17, 5.5.20 and 5.5.2025. It will probably work with only minor modifications for other Tomcat 5.5 versions. It has been tested using Java 1.5.

...

Should you have questions about the code, please feel free to contact me (the Author) at: runger -AT- aon.at

...

CategoryFAQ