I have a site that uses CLIENT-CERT authentication and checks the users cert credentials against the tomcat-user.xml file. What do I need to change in order to not require the users information be in the tomcat-user.xml file, but to simply check that they have a PKI cert? I have another method later in the process to check their credentials and don't want to have to maintain a second list if I can get away from it. I simply need all persons with a valid PKI cert to be assigned the webuser role.
" I have another method later in the process to check their credentials" sounds suspiciously like "I have a user-designed security system". User-designed security is an oxymoron, I'm afraid, based on long years of sad experience. Unless you are being handsomely paid as a trained security expert, it's wiser to use code that actual security experts have designed, implemented, thoroughly tested, documented, and integrated into the J2EE API itself.
There are other places to store userids, such as databases and Active Directory/LDAP. You don't have to use tomcat-users.xml. But I do recommend using some container security Realm instead of just rolling your own.
An IDE is no substitute for an Intelligent Developer.
Joined: Nov 20, 2013
Actually, we have a third party service that handles those issues, we just need to make sure a person has a valid PKI on our end and then those credentials are passed to the third party service which determines what they can and can't access. Someone else set up the server to require a PKI cert and use the tomcat-user.xml file for local user authentication, but as the number of people that need access to the site grows it would become extremely cumbersom to manage that file, and unnecessary since we already have a service that will manage that for us based on their PKI cert.
Well, in cases where you have something like a web service doing the authentication, a custom Realm is probably your best bet.
It's fairly easy to create a Realm plugin. All it has to so is implement a few basic API functions. The Realm authenticates credentials (the userID will be fed in from the Tomcat security system). You construct a UserPrincipal object that anchors the user's security session (can be anything you want as long as it implements the UserPrincipal interface). And you also have to supply a method for determining whether a given user has a requested security role.
If you do that, you don't need an intermediate user registry at all, since the authentication request just gets passed straight through to your service provider.