Over a million developers have joined DZone.
Silver Partner

Enabling CLIENT-CERT based authorization on Tomcat – Part 2

· Java Zone

The Java Zone is brought to you by Stormpath—offering a pre-built identity API for developers. Easily build powerful user management, authentication, and authorization into your web and mobile applications. Check out this tutorial to build a simple web app with Spring Boot and Spring Security in 15 minutes.

In continuation of my earlier blogs Enabling CLIENT-CERT based authorization on Tomcat and Enabling SSL in Tomcat, in this blog I will demonstrate, how you can configure multiple application to control access to their web resources using CLIENT-CERT mechanism. Please read both the above blogs, before reading further.

There are 2 tomcat web applications in the code base in GitHub called “client1″ and “client2″, if you go to web.xml of client1 it looks as below,

<security-constraint>
<web-resource-collection>
<web-resource-name>Demo App</web-resource-name>
<url-pattern>/secure/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>secureconn</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Demo App</realm-name>
</login-config>

<security-role>
<role-name>secureconn</role-name>
</security-role>

If you notice, there is a web resource called “/secure” it will be only accessed by a user with role “secureconn”. And in “client2″ web.xml you have,

<security-constraint>
<web-resource-collection>
<web-resource-name>Demo App</web-resource-name>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>secureconn1</role-name>
</auth-constraint>
</security-constraint>

Again, if you notice in client2, there is a web resource called “/secure” it will be only accessed by a user with role “secureconn1″.

In a typical enterprise, you will use a LDAPRealm and users with secureconn role can access client1 web resource and users with secureconn1 role can access client2 web resource. But in this demo we will use MemoryRealm and configure tomcat-users.xml with these users and roles as below,

<role rolename="secureconn"/>
<user username="CN=client1, OU=Application Development, O=GoSmarter, L=Bangalore, ST=KA, C=IN" password="null"  roles="secureconn"/>
<role rolename="secureconn1"/>
<user username="CN=client2, OU=Application Development, O=GoSmarter, L=Bangalore, ST=KA, C=IN" password="null"  roles="secureconn1"/>

I hope this blog helped you.



The Java Zone is brought to you by Stormpath—offering a pre-built, streamlined user management API for building web and mobile applications. Learn how token authentication with JWTs (JSON Web Tokens) helps secure websites and avoids the pitfalls of using cookies and sessions.

Topics:

Published at DZone with permission of Krishna Prasad , DZone MVB .

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}