Enabling CLIENT-CERT based authorization on Tomcat: Part 1
Join the DZone community and get the full member experience.
Join For FreeIn continuation with my earlier blog on Enabling SSL on Tomcat, in this blog I will go to next step and enable CLIENT-CERT based authorization on Tomcat. Again if you want to tryout the code go to my Github and download the code.
For this sample, I assume that you have tried my earlier SSL example on Tomcat and have the setup. As per the SSL example I assume,
- You have setup Tomcat 6.0 version
- You have set the SSL Connector Configuration in Tomcat server.xml
- You have started the Tomcat server and run the SecureHttpClient0Test test
In this blog, I will show you how to,
Setup MemoryRealm
In the server.xml comment the Realm tag and replace that with the code below,
<Realm className="org.apache.catalina.realm.MemoryRealm" />
Setup user role setup
In <tomcat home>/conf/tomcat-users.xml
<role rolename="secureconn"/> <user username="CN=client1, OU=Application Development, O=GoSmarter, L=Bangalore, ST=KA, C=IN" password="null" roles="secureconn"/>
Setup security-contraint
Add access control in the individual application web.xml as below,
<security-constraint> <web-resource-collection> <web-resource-name>Demo App</web-resource-name> <url-pattern>/secure/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>secureconn</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> <realm-name>Demo App</realm-name> </login-config> <security-role> <role-name>secureconn</role-name> </security-role>
Run JUnit test
Open the class src/test/java/com/goSmarter/test/SecureHttpClient1Test.java file and change the below code to point to <tomcat home>/conf folder
public static final String path = "D:/apache-tomcat-6.0.36/conf/";
Start the Tomcat and run the JUnit test using “mvn test -Dtest=”com.goSmarter.test.SecureHttpClient1Test”
If you want to debug the Realm, you need to increase the log level for Realm in <tomcat-home>/conf/logging.properties as below,
org.apache.catalina.realm.level = ALL org.apache.catalina.realm.useParentHandlers = true org.apache.catalina.authenticator.level = ALL org.apache.catalina.authenticator.useParentHandlers = true
If you notice there are 2 positive tests and 1 negative test, negative test will give a forbidden 403 return status when a wrong certificate is sent based on the security-constraint. I hope this blog helped you.
Published at DZone with permission of Krishna Prasad, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments