1

I am trying to create a java servlet application that requires client certificate authentication, but only on specific pages. I would like to have a landing page that doesn't require any sort of authentication which will have a link/button to go to a page that does require authentication. Is there a way to do this?

I am using OpenLiberty as the servlet container. I am familiar with using ClientAuthenticationSupported="true" (in server.xml), but I do not want the user prompted to select a certificate until they reach a certain page. I have also looked at HttpServletRequest, but don't see a way to force a specific type of authentication with the available methods.

I want the user to be prompted like they would be visiting prod.idrix.eu/secure. Is there a way to set a servlet's authentication type programmatically to accomplish this? Any help would be appreciated. I think this can be done using two different applications (one that does not require authentication and one that does), but I would like to keep it all as one.

Thanks.

thewalruswaspaul
  • 13
  • 3

1 Answers1

3

In web.xml you can specify security-constraints that will include URL patterns for the pages that should be protected. You can also configure <login-config> to use CLIENT-CERT authentication method. In the server.xml then you configure your user registry and mapping between cert and user. More details here - https://www.ibm.com/docs/en/was-liberty/base?topic=liberty-ldap-certificate-map-mode

Gas
  • 17,601
  • 4
  • 46
  • 93
  • 1
    I currently am not using a web.xml because I am using servlets 3.0 annotations. Do I need to move my servlet mapping to there as well? Or is there a servlet annotation way of doing security-constraints? And is configuring a user registrary required? I would like to allow any certificate that is trusted by my keystore. – thewalruswaspaul Feb 17 '22 at 15:22
  • @thewalruswaspaul It is possible, but much easier and cleaner will be via web.xml ;-) And you can only define security there, you can leave your servlet annotations as is. – Gas Feb 17 '22 at 19:42
  • thank you this has definitely led me in the right direction. I have been trying to do the same steps, but for basic certificate map mode [link here](https://www.ibm.com/docs/en/was-liberty/base?topic=liberty-basic-certificate-map-mode). I am able to lock down a specific page, but I am never prompted to select a certificate from the browser unless I have ClientAuthenticationSupported="true" or ClientAuthentication="true". Is this how it is supposed to work? If I switch my '' from CLIENT-CERT to BASIC it will give be a form popup, so it seems my web.xml configuration is correct. – thewalruswaspaul Feb 18 '22 at 20:37
  • @thewalruswaspaul yes, you need to have one of these `ClientAuthentication...` in your SSL config to trigger cert request. See here for details how it works - https://www.ibm.com/docs/en/was-liberty/base?topic=scl-configuring-your-web-application-server-client-certificate-authentication – Gas Feb 19 '22 at 01:41
  • thank you. I was hoping I wouldn't have to use one of those because I just want the certificate request to appear on a certain page. It seems like that is not possible using Liberty. Thanks again for your help. – thewalruswaspaul Feb 22 '22 at 16:03