0

My web application authenticates the user based on user's x509 certificate. For now, I've configured tomcat for mutual authentication by setting "clientAuth=want". However, as this certificate exchange happens during SSL handshake phase, I see following limitations with this approach:

  1. All other applications deployed on the same tomcat also ask for user's certificate, which may not be necessary.
  2. Whenever the first request is made to the server, it could be any public url such as css or img urls, the certificate pop-up comes on user's browser.
  3. Javascript calls to my web application from any other app's UI, causes this pop-up on user's browser.
  4. Once the https session is established, subsequent requests contain only end user's certificate and not the entire chain.

Is there any way using which I can negotiate with the browser and get user's certificate whenever my application needs it?

P.S. I already asked this question on stackoverflow, but no luck there, hence posting it here.

Bhushan Karmarkar
  • 103
  • 3

1 Answers1

0

Yes, but it won't work with HTTP/2 (which doesn't allow renegotiation) or TLSv1.3 (since the OpenJDK TLS 1.3 implementation does not support post handshake authentication).

What you will need to do is:

  • remove clientAuth="want" from the connector
  • configure the web application for CLIENt-CERT authentication
  • configure security constraints to require authentication for any resource where you want to require a certificate
  • optionally, use the AuthenticatedUserRealm (assuming you want to allow all users with valid certs)
Mark Thomas
  • 887
  • 5
  • 8