Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Enabling CLIENT-CERT based authorization on Tomcat: Part 1

DZone's Guide to

Enabling CLIENT-CERT based authorization on Tomcat: Part 1

· Integration Zone ·
Free Resource

SnapLogic is the leading self-service enterprise-grade integration platform. Download the 2018 GartnerMagic Quadrant for Enterprise iPaaS or play around on the platform, risk free, for 30 days.

In continuation with my earlier blog on Enabling SSL on Tomcat, in this blog I will go to next step and enable CLIENT-CERT based authorization on Tomcat. Again if you want to tryout the code go to my Github and download the code.

For this sample, I assume that you have tried my earlier SSL example on Tomcat and have the setup. As per the SSL example I assume,

  • You have setup Tomcat 6.0 version
  • You have set the SSL Connector Configuration in Tomcat server.xml
  • You have started the Tomcat server and run the SecureHttpClient0Test test

In this blog, I will show you how to,

Setup MemoryRealm

In the server.xml comment the Realm tag and replace that with the code below,

<Realm className="org.apache.catalina.realm.MemoryRealm" />

Setup user role setup

In <tomcat home>/conf/tomcat-users.xml

<role rolename="secureconn"/>
<user username="CN=client1, OU=Application Development, O=GoSmarter, L=Bangalore, ST=KA, C=IN" password="null"  roles="secureconn"/>

Setup security-contraint

Add access control in the individual application web.xml as below,

<security-constraint>
<web-resource-collection>
<web-resource-name>Demo App</web-resource-name>
<url-pattern>/secure/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>secureconn</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Demo App</realm-name>
</login-config>
<security-role>
<role-name>secureconn</role-name>
</security-role>

Run JUnit test

Open the class src/test/java/com/goSmarter/test/SecureHttpClient1Test.java file and change the below code to point to <tomcat home>/conf folder

public static final String path = "D:/apache-tomcat-6.0.36/conf/";

Start the Tomcat and run the JUnit test using “mvn test -Dtest=”com.goSmarter.test.SecureHttpClient1Test”

If you want to debug the Realm, you need to increase the log level for Realm in <tomcat-home>/conf/logging.properties as below,

org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true

If you notice there are 2 positive tests and 1 negative test, negative test will give a forbidden 403 return status when a wrong certificate is sent based on the security-constraint. I hope this blog helped you.

With SnapLogic’s integration platform you can save millions of dollars, increase integrator productivity by 5X, and reduce integration time to value by 90%. Sign up for our risk-free 30-day trial!

Topics:

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}