Over a million developers have joined DZone.
Platinum Partner

Enabling CLIENT-CERT based authorization on Tomcat: Part 1

· Integration Zone

The Integration Zone is brought to you in partnership with 3scale. Discover why Rails + jspm >= ECMAScript 6 awesomeness.

In continuation with my earlier blog on Enabling SSL on Tomcat, in this blog I will go to next step and enable CLIENT-CERT based authorization on Tomcat. Again if you want to tryout the code go to my Github and download the code.

For this sample, I assume that you have tried my earlier SSL example on Tomcat and have the setup. As per the SSL example I assume,

  • You have setup Tomcat 6.0 version
  • You have set the SSL Connector Configuration in Tomcat server.xml
  • You have started the Tomcat server and run the SecureHttpClient0Test test

In this blog, I will show you how to,

Setup MemoryRealm

In the server.xml comment the Realm tag and replace that with the code below,

<Realm className="org.apache.catalina.realm.MemoryRealm" />

Setup user role setup

In <tomcat home>/conf/tomcat-users.xml

<role rolename="secureconn"/>
<user username="CN=client1, OU=Application Development, O=GoSmarter, L=Bangalore, ST=KA, C=IN" password="null"  roles="secureconn"/>

Setup security-contraint

Add access control in the individual application web.xml as below,

<web-resource-name>Demo App</web-resource-name>
<realm-name>Demo App</realm-name>

Run JUnit test

Open the class src/test/java/com/goSmarter/test/SecureHttpClient1Test.java file and change the below code to point to <tomcat home>/conf folder

public static final String path = "D:/apache-tomcat-6.0.36/conf/";

Start the Tomcat and run the JUnit test using “mvn test -Dtest=”com.goSmarter.test.SecureHttpClient1Test”

If you want to debug the Realm, you need to increase the log level for Realm in <tomcat-home>/conf/logging.properties as below,

org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true

If you notice there are 2 positive tests and 1 negative test, negative test will give a forbidden 403 return status when a wrong certificate is sent based on the security-constraint. I hope this blog helped you.

The Integration Zone is brought to you in partnership with 3scale. Learn how to deploy an NGINX API gateway on Heroku.


Published at DZone with permission of Krishna Prasad , DZone MVB .

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}