在不指定用户名的情况下为Tomcat使用CLIENT-CERT [英] Using CLIENT-CERT for Tomcat without specifying a username
问题描述
我正在尝试使Tomcat Web应用程序使用客户端证书身份验证进行传入连接。在server.xml中使用clientAuth = true时,一切正常,但是由于其他应用程序在同一服务器上运行,因此我们无法在生产环境中使用它。
I am trying to make a Tomcat web application use client certificate authentication for incoming connections. Everything works fine when using clientAuth=true in server.xml, however due to other applications running on the same server, we cannot use this in the production environment.
一种形成web.xml文档的方法,以便它以与clientAuth = true相同的方式强制应用程序使用客户端证书?似乎使用CLIENT-CERT设置还要求您为要访问系统的每个证书设置一个tomcat用户帐户?我们需要能够允许来自特定CA(在服务器信任库中设置)的所有证书,其中主题与某些规则匹配(在实际应用程序中检查)。我希望以下类似的方法行得通,但还没有运气!
Is there a way to form a web.xml document such that it forces client certificate usage for the application in the same way as clientAuth=true? It seems like using the CLIENT-CERT setting also requires you to setup a tomcat user account for each certificate which is to access your system? We need to be able to allow all certificates which are from a specified CA (set in the server truststore) where the subject matches certain rules (checked within the actual application). I was hoping that something like the following would work, but no luck yet!
<security-constraint>
<web-resource-collection>
<web-resource-name>Everything</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
推荐答案
首先,听起来像您想要 clientAuth = want 而不是 clientAuth = true :这将允许客户端提供证书,但并非绝对需要证书。
First of all, it sounds like you want clientAuth=want instead of clientAuth=true: that will allow the client to provide a certificate but not absolutely require one.
当您使用任何形式的身份验证时,Tomcat(或与此相关的任何servlet容器)必须能够构建 Principal 其中的对象-具有名称(通常是用户名)的对象。然后,容器必须决定用户具有什么角色,以便正确地授权特定请求。因此,Tomcat需要事先了解用户才能使授权生效。
When you use authentication of any kind, Tomcat (or any servlet container for that matter) must be able to build a Principal object out of it -- one that has a name (usually a username). The container then must decide what roles the user has in order to properly authorize a particular request. So, Tomcat will need to know about the users beforehand in order to make authorization work.
另一方面,如果不需要任何授权,则可以设置 clientAuth = want ,然后使用 Filter 验证证书。如果您已经在进行自己的检查,则无需使用 CLIENT-CERT 身份验证。
On the other hand, if you don't need any authorization, you could set clientAuth=want and then use a Filter to verify the certificate. There's no need to use CLIENT-CERT authentication if you are already doing your own checking.
这篇关于在不指定用户名的情况下为Tomcat使用CLIENT-CERT的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
