Geek Answers Handbook

Configure use of url-based HTTPS certificate in Tomcat

I am developing a webapp that uses client certificates for authentication against Tomcat during web service calls from Jersey. So far this works, but I need a web interface in the same context that will allow me to manage this application. Since the SSL configuration is “for every context”, the only option to use HTTPS for the external interface is to install the client certificate in the access browser, which is also indicated in the tomcat proxy (either this or not using https at all).

To illustrate what I really want:

1. https://url-to-webapp/ws <- Should use client certificate
2. https://url-to-webapp/web <- Should just use a server certificate

Could this be achieved somehow in the Tomcat configuration or even in the application code?

Update

I tried the setup suggested by EJP, but now I can’t connect to Tomcat regardless of my use of certificates - it seems that it does not work during the search or something like that. However, if I create an HTTP connector on 8080, it redirects me to 8443. This is the configuration I use. Any ideas?

users.xml-cat

<tomcat-users>
<role rolename="webservice"/>
<user username="CN=ClientCert,OU=Corp,O=Corp,L=London,S=London,C=UK" password="" roles="webservice"/>
</tomcat-users>

server.xml

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="c:\tomcat\keys\server.jks" keystorePass="password"
truststoreFile="c:\tomcat\keys\client.jks" truststorePass="password"/>

web.xml

[...]
    <security-constraint>
        <display-name>ClientCertificateRequired</display-name>
        <web-resource-collection>
            <web-resource-name>MyWebService</web-resource-name>
            <description/>
            <url-pattern>/webservice/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>webservice</role-name>
        </auth-constraint>
        <user-data-constraint>
            <description/>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <login-config>
        <auth-method>CLIENT-CERT</auth-method>
        <realm-name>tomcat-users</realm-name>
    </login-config>
    <security-role>
        <description/>
        <role-name>webservice</role-name>
    </security-role>
    [...]
    <servlet>
        <display-name>Webservice</display-name>
        <servlet-name>Webservice</servlet-name>
        <servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
        [...]
            <run-as>
            <role-name>webservice</role-name>
        </run-as>
    </servlet>
    [...]
+5
source share
2 answers

You can configure Tomcat to use renegotiation between the client and the certificate (as opposed to the initial renegotiation) so that the request or request for a client certificate depends on the requested URL.

clientAuth="false" , <auth-method>CLIENT-CERT</auth-method> -, .

, , , , TLS. , TLS, 2009 . ( ), RFC 5746. . 1 2 Java (TLS).

, , , JRE 1.6.0_22.

+4

URL , , -, SSL. URL . web.XML. , .

+2

More articles:


All Articles