TomcatExpert

Security

Knowledge Base : Client Certificate Authentication in Apache Tomcat

posted by SpringSource on March 14, 2010 11:26 AM

Tomcat server uses "Client Authentication" to ensure users are valid

SSL (Secure Socket Layer) allows web browsers and web servers to communicate over a secure connection with both the browser and the server encrypting traffic before sending out data. Authentication is an important part of the SSL protocol and typically involves a server presenting a set of credentials to a visitor, or a “Certificate,” as proof the site is legitimate.  With “Client Authentication,” the server asks for proof that the visitor is who they claim to be. Most SSL-enabled web servers do not request Client Authentication.

Read More

12 comments   |  

0
Rating
  |  

Security | Client Authentication, CLIENT-CERT, Tomcat Admin

Knowledge Base : Apache Tomcat blocking IO connector

posted by SpringSource on October 27, 2009 03:06 PM

How the client certificate authentication works in Tomcat

The CLIENT-CERTauthorization in Tomcat works in the following way: 

1) If tomcatAuthentication="false" is set in server.xml, Tomcat simply takes the username from the AJP request and assumes all authentication has already been done.

2) If tomcatAuthentication="true" is set, the CLIENT-CERT will result in the org.apache.catalina.authenticator.SSLAuthenticator valve being inserted automatically into the application Context.

Read More

7 comments   |  

0
Rating
  |  

Security | authentication, client certificate, Tomcat

Knowledge Base : How to get the remote user attribute from Apache Tomcat

posted by SpringSource on October 27, 2009 02:59 PM

Remote User: does not retrieve the remote user information even with successful authentication

There are two types of authentication information that can be retrieved from Tomcat.

First scenario: The Apache Server side authentication.
Second scenario: The Tomcat side Authentication.

To configure Tomcat in retrieving the Apache side authentication:

1. In the httpsd.conf, set up authorization for the protected directory. For example:

Read More

22 comments   |  

0
Rating
  |  

Security | applications, Tomcat, Tomcat Security

Syndicate content