-1

I have created a Java servlet. I need to host it using two-way SSL connection. I was provided two .cer files to achieve this. I created a Java key store to use with Apache tomcat to deploy my servlet. My server.xml for the https connection reads 

<Connector SSLEnabled="true" acceptCount="100" clientAuth="false"
disableUploadTimeout="true" enableLookups="false" maxThreads="25"
port="30580" keystoreFile="SSLConnect.jks" keystorePass="$Actual 
password" protocol="org.apache.coyote.http11.Http11NioProtocol" 
scheme="https" secure="true" sslProtocol="TLS" />

and

I have also enabled https in the servlet by adding 

<security-constraint>
<web-resource-collection>
    <web-resource-name>securedapp</web-resource-name>
    <url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

to the web.xml file.

Despite all this, anyone can connect to the service using the URL I have deployed the service to. Do you not need the certificates to connect to the URL since SSL is enabled over https? AM I doing something wrong here?

misal patel
  • 9
  • 4
  • SSL-now-TLS supports multiple options but most commonly, and in Java by default, it authenticates the server but not the client; see https://security.stackexchange.com/questions/20803/how-does-ssl-work/ . If you want to require client-auth, also called client-cert or mutual-auth or twoway-auth, see [SSLHostConfig certificateVerification](https://tomcat.apache.org/tomcat-9.0-doc/config/http.html) or its obsolete connector-level equivalents. – dave_thompson_085 Jun 18 '19 at 20:45

1 Answers1

0

You need to set clientAuth="true", not clientAuth="false".

Toby
  • 186
  • 3