使用clientAuth =想让Tomcat客户端身份验证 [英] tomcat client authentication using clientAuth=want
问题描述
我的应用程序需要一个特定的URL客户端认证,客户端后验证成功的应用程序本身也做客户端证书主题(使用Spring Security的X509过滤器)一些验证。我想配置Tomcat强制客户端身份验证(clientAuth =真)为特定的URL,而是基于对这个职位似乎我不能这样做只是使用Tomcat - <一个href=\"http://stackoverflow.com/questions/14937833/configure-tomcat-for-client-authentication-only-for-specific-url-patterns\">configure Tomcat的方法只对特定的URL模式的客户端身份验证。
My application requires client authentication for a specific URL, after client authentication succeeds the application itself also does some verification on the client certificate subject (using spring security x509 filter). I wanted to configure tomcat to force client authentication (clientAuth=true) for the specific URL, but based on this post it seems I can't do this only using tomcat - configure tomcat for client authentication only for specific URL patterns.
我的问题是,如果我用clientAuth =希望,将下面当服务器请求一个证书如下:
My question is, if I use clientAuth=want, will the following be as below when the server requests a certificate:
- 如果设备有身份证明,但不是由tomcat的truststoreFile配置的CA受信任的,没有证书会通过,并请求将在春季安全过滤失败(证书为null)
- 如果设备有在tomcat的truststoreFile配置的CA信任的身份证书,但是是无效的(不知道验证都做了什么)或过期,无论是认证将在tomcat的失败(保安过滤器之前)或作为选项1没有证书会通过,并请求将在春季安全过滤失败(证书为null)
是否有安全漏洞我可能想使用+安全过滤器的这个配置会丢失?我想问题是 - 如果证书最终从设备传递给服务器,即使在使用clientAuth =想,也不会允许客户端继续如果证书是服务器会一直对其进行验证(未过期的,值得信赖等)无效?将检查证书在没有证书将被传递由保安过滤器覆盖的情况下,不为null。
Is there a security hole I may be missing using this configuration of want + security filter? I guess the question is - if a certificate is eventually passed from the device to the server, the server will always validate it (not expired, trusted etc) even when using clientAuth=want and will not allow the client to continue if the certificate is invalid? The case where no certificate is passed is covered by the security filter that will check the certificate is not null..
谢谢!
推荐答案
您在这两个1和2的假设是正确的。 Tomcat会不会通过您的应用程序允许不受信任的或无效的证书。如果你得到一个空证书,可以假定要么没有证书获得通过,或不可信/证书无效传递。
Your assumptions in both 1. and 2. are correct. Tomcat will not allow untrusted or invalid certificates through to your application. If you get a null certificate, you can assume that either no certificate was passed, or an untrusted/invalid certificate was passed.
在这个项目我的工作,我们有你一样的要求:只有某些URL客户端证书。我们发现,通过实验如何clientAuth =希望的作品。
On the project I am working on we have the same requirement as you: client certificates for certain URLs only. We found out by experimentation how "clientAuth=want" works.
这篇关于使用clientAuth =想让Tomcat客户端身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
