[Pki-devel] Client Authentication

Jack Magne jmagne at redhat.com
Fri Oct 28 01:33:08 UTC 2011 

Adam Young wrote:
> Ade,
>
> Your ealier emali discussed the renegotiation challenge based on the 
> Profiles. 
>
> http://pki.fedoraproject.org/wiki/REST#Profiles
>
> For the case where a user points a browser (say and Ajax request)  at 
> /pki/profiles   lets say that we have two cases:  one where the user 
> is authenticated and one where they are not.  In both cases, they get 
> back a collection, but in the case of unauthenticated it will have 
> significantly fewer entries. 
>
> In this case, we would want the Java  equivalent of mod_nss: 
>
> NSS_VerifyCLient: Optional
>
> I'm guessing this a tomcatjss setting.
 clientAuth="want"

For tomcatjss in server.xml

The thing is though, the way this behaves is the user is asked for the 
cert every time. The server then lets it go if the user choses not to 
send one, or uses it if they do.
>
> In this case, if the user has the certificate, they can present it, 
> but if they don't,  the operation will complete.  I think this is what 
> we want.  We always ask for the certificate, but we say it is OK if 
> you don't have it, you just don't get the data.
>
> In the case where the user is asking for an object, say an actual 
> profile, and they don't have sufficient privs,  they get back a hard 
> and fast error:  probably 403.2
>
> http://en.wikipedia.org/wiki/HTTP_403
>
> For something like CSRs, we probably want to restrict access to 
> agents.  In that case, if an unauthenticated user, or one without 
> appropriate privs,  attempts to access that URL,  they also get a 403.2.
>
> I don't know how this works in with the renegotiate, but I am guessing 
> that every time the user without a certificate hits an "Optional" page 
> they will be asked for their cert.  This might be chatty.  No idea.
>
> So in general,  we tag the URLS either
> NSS_VerifyClient: Require  if they must be authenticated to use them
> NSS_VerifyClient: Optional  if they see different results based on 
> authentication or not
> NSS_VerifyClient: None if they can view them unauthenticated and see 
> the same results as everyone else
>
>
> IN the pki/WEB-INF/web.xml,  this probably maps to something like this:
> <security-constraint> 
>    <web-resource-collection>
>      <web-resource-name>Protected Resource</web-resource-name>
>      <url-pattern>*/*/profile*</url-pattern>
>    </web-resource-collection>
>   
>     <auth-constraint>
>          <role-name>*anonymous*</role-name>
>          <role-name>*agent*</role-name>
>    </auth-constraint>
>   </security-constraint>
>
> I'm guessing that we want to specify a role for anonymous as opposed 
> to no role. 
>
> <web-app>
> ...
>
> <login-config>
>  <auth-method>CLIENT-CERT</auth-method>
>    <realm-name>Tomcat Manager Application</realm-name>
>    <realm-name>PKICA</realm-name>
>   </login-config>
> ...
> </web-app>
>
>
> the PKICA  Realm would be defined at the server level, in 
> conf/server.xml.  Something like:
>
>
> <Realm   className="com.netscape.catalina.realm.LDAPCertRealm"
>      connectionURL="ldaps://localhost:8389"
>        userPattern="uid={0},ou=people,dc=mycompany,dc=com"
>           roleBase="ou=groups,dc=mycompany,dc=com"
>           roleName="cn"
>         roleSearch="(uniqueMember={0})"
> />
>   
> There is a class  that almost does what we want.
>
>  *org.apache.catalina.realm.JNDIRealm*. 
>
> I suspect we can subclass it.  It has two ways of doing the auth :  
> Bind mode and Comparison mode.  It might be possible to add a  Client 
> Cert mode in a subclass.  docs are here:
> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20111027/97ab64d4/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 43 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20111027/97ab64d4/attachment.gif>

More information about the Pki-devel mailing list