Enabling CLIENT-CERT based authorization on Tomcat – Part 2

In continuation of my earlier blogs Enabling CLIENT-CERT based authorization on Tomcat and Enabling SSL in Tomcat, in this blog I will demonstrate, how you can configure multiple application to control access to their web resources using CLIENT-CERT mechanism. Please read both the above blogs, before reading further.

There are 2 tomcat web applications in the code base in GitHub called “client1″ and “client2″, if you go to web.xml of client1 it looks as below,

<security-constraint>
<web-resource-collection>
<web-resource-name>Demo App</web-resource-name>
<url-pattern>/secure/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>secureconn</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Demo App</realm-name>
</login-config>

<security-role>
<role-name>secureconn</role-name>
</security-role>

If you notice, there is a web resource called “/secure” it will be only accessed by a user with role “secureconn”. And in “client2″ web.xml you have,

<security-constraint>
<web-resource-collection>
<web-resource-name>Demo App</web-resource-name>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>secureconn1</role-name>
</auth-constraint>
</security-constraint>

Again, if you notice in client2, there is a web resource called “/secure” it will be only accessed by a user with role “secureconn1″.

In a typical enterprise, you will use a LDAPRealm and users with secureconn role can access client1 web resource and users with secureconn1 role can access client2 web resource. But in this demo we will use MemoryRealm and configure tomcat-users.xml with these users and roles as below,

<role rolename="secureconn"/>
<user username="CN=client1, OU=Application Development, O=GoSmarter, L=Bangalore, ST=KA, C=IN" password="null"  roles="secureconn"/>
<role rolename="secureconn1"/>
<user username="CN=client2, OU=Application Development, O=GoSmarter, L=Bangalore, ST=KA, C=IN" password="null"  roles="secureconn1"/>

I hope this blog helped you.

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s