Enabling CLIENT-CERT based authorization on Tomcat

In continuation with my earlier Blog Enabling SSL on Tomcat, in this blog I will go to next step and enable CLIENT-CERT based authorization on Tomcat. Again if you want to tryout the code go to my Github and download the code.

For this sample, I assume that you have tried my earlier SSL example on Tomcat and have the setup. As per the SSL example I assume,

  • You have setup Tomcat 6.0 version
  • You have set the SSL Connector Configuration in Tomcat server.xml
  • You have started the Tomcat server and run the SecureHttpClient0Test test

In this blog, I will show you how to,

Setup MemoryRealm

In the server.xml comment the Realm tag and replace that with the code below,

<Realm className="org.apache.catalina.realm.MemoryRealm" />

Setup user role setup

In <tomcat home>/conf/tomcat-users.xml

<role rolename="secureconn"/>
<user username="CN=client1, OU=Application Development, O=GoSmarter, L=Bangalore, ST=KA, C=IN" password="null"  roles="secureconn"/>

Setup security-contraint

Add access control in the individual application web.xml as below,

<security-constraint>
<web-resource-collection>
<web-resource-name>Demo App</web-resource-name>
<url-pattern>/secure/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>secureconn</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Demo App</realm-name>
</login-config>
<security-role>
<role-name>secureconn</role-name>
</security-role>

Run JUnit test

Open the class src/test/java/com/goSmarter/test/SecureHttpClient1Test.java file and change the below code to point to <tomcat home>/conf folder

public static final String path = "D:/apache-tomcat-6.0.36/conf/";

Start the Tomcat and run the JUnit test using “mvn test -Dtest=”com.goSmarter.test.SecureHttpClient1Test”

If you want to debug the Realm, you need to increase the log level for Realm in <tomcat-home>/conf/logging.properties as below,

org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true

If you notice there are 2 positive tests and 1 negative test, negative test will give a forbidden 403 return status when a wrong certificate is sent based on the security-constraint. I hope this blog helped you.

About these ads

2 thoughts on “Enabling CLIENT-CERT based authorization on Tomcat

  1. Pingback: Enabling CLIENT-CERT based authorization on Tomcat – Part 2 | GoSmarter Tech Blog

  2. Pingback: Spring Security Certificate Authentication Authorization Example | GoSmarter Tech Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s