1

I need to implement Mutual Authentication using Tomcat for SmartCard Based log on.

I have successfully configured Tomcat Mutual Authentication for certificates that are present on the file system by following https://nhachicha.wordpress.com/2012/01/26/mutual-authentication-with-tomcat/

Upon Successful Authentication, I am also able to access these certificates within my Java code using filters.

Real-world Scenario:

  1. User Logs on to Windows using Smart Card (Containing PKI Certificates)
  2. List item
  3. User accesses my App from the browser
  4. Tomcat should be able to access the Authenticated Certificates for its mutual authentication process
  5. This certificate will be used to access the User Principal, which will be used for Authorization of Resources within the App

Could someone shed light on how I can access the Smart Card certificates once Windows has used it for Logging On (Preferably without swiping the card once more)? I need to configure tomcat to access these Certificates.

(Once tomcat succeeds in Mutual Authentication, the certificates will be passed on and intercepted by Filters where the Java Logic can use them)

Rachit Vij
  • 23
  • 1
  • 4
  • AFAIK, you can't. The user has logged on using its certificate, but from this moment on, he will be client of your Tomcat server. If this tomcat requires client auth, the user will be prompted to choose a client certificate (SSL Layer). Any action you might try to access the Windows Certificates would have to be done on the client side by some kind of plugin (Java, ActiveX...) contained in the HTTP layer, therefore under (=after) the SSL Layer which requires the client certificate. – Iansus Nov 25 '15 at 09:46
  • You'd need some kind of SSO (Single Sign-On) mechanism to transmit the Windows session to your app. A native Windows approach would be to use Kerberos, but I don't know anything about Kerberos & tomcat interoperability. Unless your app could take advantage of some PIN caching mechanism that is not always enabled and that would only work if the client has one certificate (assuming there was not too much delay between Windows auth and auth on your server), I don't see how your Tomcat instance would be able to access the certificate used in for Windows SC login... – Iansus Nov 25 '15 at 09:51

0 Answers0