Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

tomcat client authentication using clientAuth=want

Tags:

authentication

tomcat

client

My application requires client authentication for a specific URL, after client authentication succeeds the application itself also does some verification on the client certificate subject (using spring security x509 filter). I wanted to configure tomcat to force client authentication (clientAuth=true) for the specific URL, but based on this post it seems I can't do this only using tomcat - configure tomcat for client authentication only for specific URL patterns.

My question is, if I use clientAuth=want, will the following be as below when the server requests a certificate:

  1. If device has an identity certificate but not trusted by the CA configured in tomcat truststoreFile, no certificate will be passed and the request will fail in the spring security filter (certificate will be null)
  2. If device has an identity certificate trusted by the CA configured in tomcat truststoreFile, but is invalid (not sure what validations are done) or expired, either the authentication will fail in tomcat (before the security filter) or as in option 1 no certificate will be passed and the request will fail in the spring security filter (certificate will be null)

Is there a security hole I may be missing using this configuration of want + security filter? I guess the question is - if a certificate is eventually passed from the device to the server, the server will always validate it (not expired, trusted etc) even when using clientAuth=want and will not allow the client to continue if the certificate is invalid? The case where no certificate is passed is covered by the security filter that will check the certificate is not null..

Thanks!

like image 644
michalv82 Avatar asked Feb 19 '13 16:02

michalv82

1 Answers

Your assumptions in both 1. and 2. are correct. Tomcat will not allow untrusted or invalid certificates through to your application. If you get a null certificate, you can assume that either no certificate was passed, or an untrusted/invalid certificate was passed.

On the project I am working on we have the same requirement as you: client certificates for certain URLs only. We found out by experimentation how "clientAuth=want" works.

like image 72
Rob Worsnop Avatar answered Nov 03 '22 17:11

Rob Worsnop
Sign in to Comment

Related questions

Laravel JWT tokens are Invalid after refresh them in a authentication JWT approach
Is a SecurityContext shared between requests when using Spring Security?
Pass extra data to finder auth
How to protect route endpoints using Passport?
How would I create an access token for the NFL Shield API?
Detect Firebase Auth Provider for Loged in User
How to get windows logon credentials from a Swing application?
Which solution is better for Django social authentication?
WebBrowser control with an automated proxy login
Calling WCF/JSON/REST WebService from JavaScript using jQuery/Ajax
Spring security returns String as principal instead of UserDetails on failed login?
How to authenticate with certificates instead of passwords?
(GitHub) API OAuth authentication for not-a-website applications?
JWT token for cross domain authentication
Using multiple authentication schemes in ASP.NET Core
What is a good alternative to Firebase for user management, more specifically for Python?
ASP.NET Membership - Which RoleProvider to use so User.IsInRole() checks ActiveDirectory Groups?
Enabling certificate based authentication for WCF service using netTcpBinding
JSF: Authentication & Authorization, best way forward
Authorizing a computer to access a web application

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!