可以CLIENT-CERT的auth-方法用在Tomcat一个JDBC领域使用? [英] Can CLIENT-CERT auth-method be used with a JDBC realm within tomcat?
问题描述
的JDBC领域指定用于认证的表结构,其中包含由属性userNameCol和userCredCol限定的列。这些对应于用户名和密码这是有道理的形式或基本身份验证的方法。它们是互动的,需要从客户端的用户这两片
The JDBC realm specifies a table structure for authentication which contains the columns defined by the attributes userNameCol and userCredCol. These correspond to user and password which makes sense for FORM or BASIC auth-methods. They are interactive and require these two pieces from the client's user.
- 从什么的回来
证书吗? - 会是什么样的数据的例子
存储在userNameCol和
userCredCol什么样子的? - 是否有其他表
结构为在本领域
这样吗?
PS - 我使用Tomcat 5.5.X
PS - I'm using tomcat 5.5.x.
推荐答案
是的,可以。不过,也有一些怪癖要留意。
JDBCRealm Supports CLIENT-CERT
Yes, it can. However, there are few quirks to watch out for.
用户名栏应包含证书主题的专有名称,作为一个字符串。不幸的是,Tomcat使用来获得此字符串的方法产生一个依赖于实现的结果,所以这是可能的,如果你切换到一个新的安全提供者,甚至只是升级您的Java运行时,您可能需要您的用户名映射到一个新形式。你必须测试您的部署,以找出格式。
The user name column should contain the certificate subject's distinguished name, as a character string. Unfortunately, the method Tomcat uses to obtain this string produces an implementation-dependent result, so it's possible if you were to switch to a new security provider or even just upgrade your Java runtime, you might need to map your user names to a new form. You'll have to test your deployment to find out what format is used.
具体而言,的getName()是呼吁主要按返回 X509Certificate.getSubjectDN ()来获得字符串,这是用来作为用户名。如果你读了<一个href=\"http://java.sun.com/j2se/1.5.0/docs/api/java/security/cert/X509Certificate.html#getSubjectDN()\">documentation,你会发现,这已不再是最好的办法。
Specifically, getName() is called on the Principal returned by X509Certificate.getSubjectDN() to obtain a String, which is used as the user name. If you read the documentation, you'll find that this is no longer the best approach.
最简单的设置将你的信任锚加载到 Tomcat的信任存储 ,这是在的server.xml文件中配置。有了这个设置,那就是扎根于您值得信赖的CA之一将被视为任何客户端证书链认证,这是正确的&MDASH;认证,是指一个身份是已知的,并且是授权,这决定了该标识被允许不同做的。
The simplest set up would be to load your trust anchors into Tomcat's trust store, which is configured in the "server.xml" file. With this setup, any client certificate chain that is root in one of your trusted CAs will be considered "authenticated," and rightly so—authentication means that an identity is known, and is distinct from authorization, which determines what that identity is allowed to do.
由于有签名证书的人将被认证,则需要设置角色以保护私有资源在应用程序中。这是通过设置安全限制,与角色相关联,在你的的web.xml文件来完成。然后,在你的数据库,填充角色表授予信任的用户有额外的角色。
Since anyone with a signed certificate will be authenticated, you need to set up roles in order to protect private resources in your application. This is done by setting up security constraints, associated with roles, in your "web.xml" file. Then, in your database, populate the "roles" table to grant trusted users with extra roles.
用户表和角色表之间的关系的工作,正是因为它会与基于表单的授权,而且应该用来授予适当的权限您信任的用户。
The relationship between the user table and the roles table works exactly as it would with FORM-based authorization, and should be utilized to grant appropriate permissions to users that you trust.
的 JDBCRealm 将创建一个新的Principal ,除非你的应用程序向下转型这个主要这点上有密码,但具体Tomcat的实现(<一个href=\"http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/realm/GenericPrincipal.html\">GenericPrincipal),此属性不会对你可见的,它并没有真正不管你放什么在该列。我建议 NULL 。
The JDBCRealm will create a new Principal, which does carry a password, but unless your application downcasts this Principal to the Tomcat-specific implementation (GenericPrincipal), this property won't be visible to you, and it doesn't really matter what you put in that column. I recommend NULL.
在换句话说,使用 JDBCRealm 与客户端身份验证时,密码字段将被忽略。这的GenericPrincipal 有权访问底层的主要方法,但不幸的是,主要从证书不是一起传送;在 JDBCRealm 将它设置为null;在这种情况下唯一有效的方法可能是的getName()(返回主题DN是一些可能的非标形式)。
In other words, when using JDBCRealm with client-auth, the password field is ignored. This GenericPrincipal has a method to access an underlying principal, but unfortunately, the Principal from the certificate is not passed along; the JDBCRealm will set it to null; the only useful method in this scenario might be getName() (returning the subject DN is some possibly non-standard form).
使用正是你会为一个基于表单的JDBCRealm相同的表结构(或DatasourceRealm)。唯一的差别将在内容。用户名称将是主题专有名称的文本再presentation,密码将 NULL 或者一些虚拟的价值。
Use exactly the same table structure you would for a FORM-based JDBCRealm (or DatasourceRealm). The only difference will be in the content. The user name will be a text representation of the subject distinguished name, and the password will be NULL or some dummy value.
这篇关于可以CLIENT-CERT的auth-方法用在Tomcat一个JDBC领域使用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
