tomcat - Spring Security with X509 at all levels of authentication -

-

i have legacy application converting user-password use certificate-based authentication. using tomcat 7, , application needs support 4 types of security based on url in application user trying access

for instance: few servlets use http few servlets use https without authentication few servlets use mutual authentication using pki, users not known in advance, user valid cert in cert chain granted access. reset of application management, have role based access based on pre-defined user certificate cns.

i have connector running https @ 443 clientauth="want" in tomcat server.xml

i have application web.xml has springsecurityfilterchain lists urls want require https

my springsecuritycontext.xml has x509 section has subject-principal-regex="cn=(.*?)," user-service-ref="userdetailsservice" reads pre-registered users , roles property file. there, list intercept-url patterns want have requires-channel="https" patterns require roles.

i added urls wanted require https setting access="is_authenticated_anonymously" intercept-url

this gets me 3 of 4 requirements need since of urls above automatically re-direct http https using spring security, , enforce user credentials against roles, or not check client certificate @ all. url-patterns not put web.xml springsecurityfilterchain accept http connections.

what can't figure out final pattern, application ask client certificate, validated against ca in certificate chain, not against known user-database roles. have valid certs, need access client cert discover, not known in system, since general users application. i'm not quite sure how accomplish this.

here snippets 3 xml files show talking about. included httpsandcertlink in springsecurity show 1 trying add, can't work.

server.xml

<connector port="443" protocol="org.apache.coyote.http11.http11protocol"
maxthreads="150" sslenabled="true" scheme"https" secure="true"
clientauth="want" sslprotocol"tls"
keystorefile="doesntmatter"
truststorefile="doesntmatter" />

web.xml

<login-config>
<auth-method>client-cert</auth-method>
<realm-name>myapp</realm-name>
</login-config>

<filter>
<filter-name>springsecurityfilterchain</filter-name>
<filter-class>org.springframework.web.filter.delegatingfilterproxy</filter-class>
</filter>

<filter-mapping>
<filter-name>springsecurityfilterchain</filter-name>
<url-pattern>*.go</url-pattern>
<url-pattern>/httpsonlylink</url-pattern>
<url-pattern>/httpsandcertlink</url-pattern>
</filter-mapping>

springsecuritycontext.xml

<security:http xmlns="http://www.springframework.org/schema/security" >
<security:x509 subject-principal-regex="cn=(.*?)," user-service-ref="userdetailsservice" />
<security:intercept-url pattern="/management**" requires-channel="https" access="role_mgmt" />
<security:intercept-url pattern="/httpsonlylink**" requires-channel="https" access="is_authenticaed_anonymously" />
<security:intercept-url pattern="/httpsandcertlink**" requires-channel="https" --not sure change here-- />
</security:http>

<security:authentication-manager xmlns="http://www.springframework.org/schema/security" alias="authenticationmanager">
<security:authentication-provider>
<security:user-service id="userdetailsservice" properties="\web-inf\users.properties" />
</security:authentication-provider>
</security:authentication-manager>

one approach piggyback missing requirement on roles requirement creating additional "valid certificate" role users automatically assigned. valid certificate chain should required, should required set intercept-url pattern match url requires valid certificate , require "valid certificate" role, making sure rule matched after ones requiring specific roles.


Comments

Post a Comment

Popular posts from this blog

mysql - Dreamhost PyCharm Django Python 3 Launching a Site -

-
i'm new python/django , created simple django website using pycharm. site works fine running on computer, i'm lost when comes taking site onto host (dreamhost). i'm able upload files correct directories fine, , believe made correct changes database on mysql. i'm not sure go there though. right now, page shows files rather site. direction appreciated. much! you should not run django application using python manage.py runserver on production. how run application on django depends on server (apache, nginx) want use for apache - https://docs.djangoproject.com/en/1.10/howto/deployment/wsgi/modwsgi/ for nginx - https://www.digitalocean.com/community/tutorials/how-to-serve-django-applications-with-uwsgi-and-nginx-on-ubuntu-14-04 the mysql database should, of course, exist , have correct credentials. or, if choose use sqlite, file should accessible, readable , writable www-user (may different depending on linux distributive)
Read more

java - Sending SMS with SMSLib and Web Services -

-
i have made rest web service send smss using hsdpa usb modem. using smslib in java send smss. every time web service invoked, create gateway start service, send message, stop service , remove gateway. takes 20 seconds each message. found starting service takes lot of time. part of code use send smss service.getinstance().addgateway(gateway); service.getinstance().startservice(); outboundmessage msg = new outboundmessage(phonenumber, message); if (service.getinstance().sendmessage(msg)) { result = "message sent successfully!!"; } else { result = "could not send message."; } service.getinstance().stopservice(); service.getinstance().removegateway(gateway);//remove gateway is there way can start service once if not started , use send message when ever web service invoked? why dont group messages , send in 1 go? service.getinstance().sendmessages(messa...
Read more

java - How to resolve The method toString() in the type Object is not applicable for the arguments (InputStream) -

-
i'm trying read json file local machine. @path("/") public class jsonparsing { file f = new file("file.json"); if (f.exists()){ inputstream = new fileinputstream("file.json"); string jsontxt = ioutils.tostring(is); system.out.println(jsontxt); jsonobject json = new jsonobject(jsontxt); string = json.getstring("1000"); system.out.println(a); } } but i'm getting error in tostring() method. possible read .txt file containing json object local machine? if possible, how done? firstly: whenever ask question- add imports well. secondly: yes possible read .txt file containing json object. steps: 1. add maven dependency in pom.xml - <dependency> <groupid>com.googlecode.json-simple</groupid> <artifactid>json-simple</artifactid> <version>1.1.1</version> </dependency> or add jar of dependency. 2.import...
Read more