TomcatExpert

Client Certificate Authentication in Apache Tomcat

posted by SpringSource on March 14, 2010 11:26 AM

Tomcat server uses "Client Authentication" to ensure users are valid

SSL (Secure Socket Layer) allows web browsers and web servers to communicate over a secure connection with both the browser and the server encrypting traffic before sending out data. Authentication is an important part of the SSL protocol and typically involves a server presenting a set of credentials to a visitor, or a “Certificate,” as proof the site is legitimate.  With “Client Authentication,” the server asks for proof that the visitor is who they claim to be. Most SSL-enabled web servers do not request Client Authentication.

The CLIENT-CERT authentication in Tomcat works in the following way:

  • If tomcatAuthentication="false" is set in server.xml, Tomcat simply takes the username from the AJP request and assumes all authentication has already been done.
  • If tomcatAuthentication="true" is set, then: a: CLIENT-CERT will result in the org.apache.catalina.authenticator.SSLAuthenticator valve being inserted automatically into the application Context. When a request comes in, the valve does the following:
    • It checks to see if there already has a principal associated with the request. If there is, it assumes that it has been authenticated in the past. otherwise it invokes the authentication realm.
    • If the authentication realm has validate="true" in server.xml, the Realm will validate the certificate. If validate="false" is set, then it skips the certificate validation check.
    • After the validation step has occurred, it simple invokes getPrincipal(username) with the usermame information taken from the first certificate in the chain. If the username exists in the DB, the authentication process will get through. There is never any password checked.
For more than 10 years, SpringSource employees have been supporting Apache technologies, with unparalleled experience and commitment to the Apache Software Foundation. More than 400 of the Fortune 500 count on SpringSource to support their mission-critical business applications. Leaders of the Apache Software Foundation, including Board Members, work at SpringSource and dedicate a significant amount of time further developing the Apache Tomcat open source project. Over the last 2 years, 95% of the issues fixed in the Apache Tomcat project were fixed by SpringSource engineers. For more information on how SpringSource can help your enterprise, see the SpringSource website, or call 800/444-1935.

Comments

It sounds like a simple

It sounds like a simple standard mechanism. I wonder if revealing the security mechanism won't enable hackers to breach it. I am using endpoint encryption but when it comes to security one can never take too many measures, I learned that a long time ago.

Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.