在 Tomcat 中为每个服务启用相互 SSL [英] Enabling mutual SSL per service in Tomcat

问题描述

我已经成功地在客户端应用程序和 Tomcat 实例之间设置了相互 SSL.但是，我现在正在寻找一种方法来仅公开通过相互 SSL 部署在 Tomcat 中的服务子集.虽然看起来可以使用 APR 配置(通过将SSLVerifyClient"属性的值定义为可选")，但我似乎无法找到一种方法来对 Tomcat 中的 SSL 的 JSSE 实现做同样的事情.感谢有关如何做到这一点的任何意见.

I've already managed to successfully set up mutual SSL between a client application and a Tomcat instance. However, I'm now looking for a way to expose only a subset of service deployed in Tomcat via mutual SSL. Although it looks possible to use APR configurations (by defining the value of "SSLVerifyClient" attribute to "optional") I can't seem to find a way to do the same with the JSSE implementation of SSL in Tomcat. Appreciate any input on how this can be done.

干杯，普拉巴

推荐答案

(注意 SSLVerifyClient="optional" with APR 等价于 clientAuth="want" withJSSE 连接器.尽管是可选的，但这是在连接时协商的，一旦服务器知道路径就不会重新协商.)

(Note that SSLVerifyClient="optional" with APR is equivalent to clientAuth="want" with the JSSE connector. Despite being optional, this is negotiated upon connection, not re-negotiated once the path is known by the server.)

如果您只想对某些 Web 应用程序(或路径)使用客户端证书身份验证，则需要使用信任库配置连接器，但保留 clientAuth="false".

If you want to use client-certificate authentication only for certain webapps (or paths), you need to configure the connector with a truststore, but leave clientAuth="false".

然后，在您的WEB-INF/web.xml 中，您需要配置CLIENT-CERT 身份验证.这将在必要时使用重新协商来请求客户端证书.配置如下:

Then, in your WEB-INF/web.xml, you need to configure CLIENT-CERT authentication. This will use re-negotiation to ask for a client certificate when necessary. The configuration looks like this:

<web-app>
    <display-name>My Webapp</display-name>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>App</web-resource-name>
            <url-pattern>/</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>cert</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <login-config>
        <auth-method>CLIENT-CERT</auth-method>
    </login-config>

    <security-role>
        <role-name>cert</role-name>
    </security-role>
</web-app>

(在配置 Tomcat 用户时，您还需要将用户的主题 DN 映射到适当的角色.)

(You'd also need to map the user's Subject DNs to the appropriate roles, when configuring the Tomcat users.)

这篇关于在 Tomcat 中为每个服务启用相互 SSL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！