aspose file tools*
The moose likes Tomcat and the fly likes Site open to anyone with PKI cert Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Site open to anyone with PKI cert" Watch "Site open to anyone with PKI cert" New topic
Author

Site open to anyone with PKI cert

Jack Bryant
Greenhorn

Joined: Nov 20, 2013
Posts: 2
I have a site that uses CLIENT-CERT authentication and checks the users cert credentials against the tomcat-user.xml file. What do I need to change in order to not require the users information be in the tomcat-user.xml file, but to simply check that they have a PKI cert? I have another method later in the process to check their credentials and don't want to have to maintain a second list if I can get away from it. I simply need all persons with a valid PKI cert to be assigned the webuser role.

Thanks for the help....
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16250
    
  21

Welcome to the JavaRanch, Jack!

" I have another method later in the process to check their credentials" sounds suspiciously like "I have a user-designed security system". User-designed security is an oxymoron, I'm afraid, based on long years of sad experience. Unless you are being handsomely paid as a trained security expert, it's wiser to use code that actual security experts have designed, implemented, thoroughly tested, documented, and integrated into the J2EE API itself.

There are other places to store userids, such as databases and Active Directory/LDAP. You don't have to use tomcat-users.xml. But I do recommend using some container security Realm instead of just rolling your own.


Customer surveys are for companies who didn't pay proper attention to begin with.
Jack Bryant
Greenhorn

Joined: Nov 20, 2013
Posts: 2
Actually, we have a third party service that handles those issues, we just need to make sure a person has a valid PKI on our end and then those credentials are passed to the third party service which determines what they can and can't access. Someone else set up the server to require a PKI cert and use the tomcat-user.xml file for local user authentication, but as the number of people that need access to the site grows it would become extremely cumbersom to manage that file, and unnecessary since we already have a service that will manage that for us based on their PKI cert.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16250
    
  21

Well, in cases where you have something like a web service doing the authentication, a custom Realm is probably your best bet.

It's fairly easy to create a Realm plugin. All it has to so is implement a few basic API functions. The Realm authenticates credentials (the userID will be fed in from the Tomcat security system). You construct a UserPrincipal object that anchors the user's security session (can be anything you want as long as it implements the UserPrincipal interface). And you also have to supply a method for determining whether a given user has a requested security role.

If you do that, you don't need an intermediate user registry at all, since the authentication request just gets passed straight through to your service provider.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Site open to anyone with PKI cert