使用clientAuth = want进行tomcat客户端身份验证
[英]tomcat client authentication using clientAuth=want
问题描述
My application requires client authentication for a specific URL, after client authentication succeeds the application itself also does some verification on the client certificate subject (using spring security x509 filter). 
我的应用程序需要对特定URL进行客户端身份验证,在客户端身份验证成功后,应用程序本身也会对客户端证书主题进行一些验证(使用spring security x509过滤器)。 I wanted to configure tomcat to force client authentication (clientAuth=true) for the specific URL, but based on this post it seems I can't do this only using tomcat - configure tomcat for client authentication only for specific URL patterns . 我想配置tomcat来强制特定URL的客户端身份验证(clientAuth = true),但基于这篇文章,似乎我不能只使用tomcat - 只为特定的URL模式配置tomcat进行客户端身份验证 。
My question is, if I use clientAuth=want, will the following be as below when the server requests a certificate: 我的问题是,如果我使用clientAuth = want,当服务器请求证书时,以下内容如下:
- If device has an identity certificate but not trusted by the CA configured in tomcat truststoreFile, no certificate will be passed and the request will fail in the spring security filter (certificate will be null) 如果设备具有身份证书但不受tomcat truststoreFile中配置的CA信任,则不会传递证书,并且请求将在spring安全过滤器中失败(证书将为null)
- If device has an identity certificate trusted by the CA configured in tomcat truststoreFile, but is invalid (not sure what validations are done) or expired, either the authentication will fail in tomcat (before the security filter) or as in option 1 no certificate will be passed and the request will fail in the spring security filter (certificate will be null) 如果设备具有由tomcat truststoreFile中配置的CA信任的身份证书,但无效(不确定执行了哪些验证)或过期,则认证将在tomcat中失败(在安全过滤器之前)或在选项1中没有证书将传递并且请求将在spring安全过滤器中失败(证书将为null)
Is there a security hole I may be missing using this configuration of want + security filter? 使用此配置的want +安全过滤器,是否存在我可能缺少的安全漏洞? I guess the question is - if a certificate is eventually passed from the device to the server, the server will always validate it (not expired, trusted etc) even when using clientAuth=want and will not allow the client to continue if the certificate is invalid? 我想问题是 - 如果证书最终从设备传递到服务器,服务器将始终验证它(未过期,受信任等),即使使用clientAuth = want也不会允许客户端继续,如果证书是无效? The case where no certificate is passed is covered by the security filter that will check the certificate is not null.. 没有证书通过的情况由安全过滤器覆盖,该过滤器将检查证书不为空。
Thanks! 谢谢!
1 个解决方案
解决方案1
6 已采纳 2013-12-02 18:59:56
Your assumptions in both 1. and 2. are correct. 您在1和2中的假设都是正确的。 Tomcat will not allow untrusted or invalid certificates through to your application. Tomcat不允许将不受信任或无效的证书通过您的应用程序。 If you get a null certificate, you can assume that either no certificate was passed, or an untrusted/invalid certificate was passed. 如果获得空证书,则可以假定未传递证书,或者传递了不受信任/无效的证书。
On the project I am working on we have the same requirement as you: client certificates for certain URLs only. 在我正在开发的项目上,我们有与您相同的要求:仅限某些URL的客户端证书。 We found out by experimentation how "clientAuth=want" works. 我们通过实验发现了“clientAuth = want”的工作原理。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.