Do we have the `client-auth` = `want`?

[Charlee Chitsuk]

Hi,

Regarding to the SSL/TLS Options[1], Client Authentication which demonstrates to set the `client-auth-enabled=[true/false]`. Do we have something like `client-auth` = `want`? (to use the client certificate if available and bypass if it is not available.) If yes. Could you please help to advise how to set it via the `asadmin command` and `pre and post boot script`?

Thank you very much for your help in advance. I'm looking forward to hearing from you soon.

[1] https://docs.payara.fish/community/docs/documentation/payara-server/server-configuration/http/protocols/ssl-options.html

[Rudy De Busscher]

Hi,

Can you explain more in detail what you like to achieve. What should happen when there is no client certificate? Should access to the application be granted?  And the Client Certification authentication itself doesn't allow this. A secured endpoint send out a challenge so that the client can send the certificate to the server. But access is denied when no certificate is provided (or it is invalid)

Regards

Rudy

[Charlee Chitsuk]

Hi,

I have just seen the Apache Tomcat provides more options for the `certificateVerification` [1], i.e. `required`, `none`,  `optional` and `optionalNoCA`.

Regarding to the `optional` and `optionalNoCA`, they are explained as the following: -

* Set to `optional` if you want the SSL stack to request a client Certificate, but not fail if one isn't presented. 

* Set to `optionalNoCA` if you want client certificates to be optional and you don't want Tomcat to check them against the list of trusted CAs.

I'm not sure if we may have something like these two values or not. Could you please help to advise?

Regards,

Charlee Ch.

[1] https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig

[Rudy De Busscher]

Hi,

Payara doesn't have the option you describe and I'm not sure if having the Client Certificate as an optional requirement for a call is a good idea. How does the authorisation work when roles and groups can't be determined from the certificate? Why would you use a Client Certificate if the endpoint works fine without one?

Regards

Rudy

[Charlee Chitsuk]

Hi,

Thank you very much for the reply.

I have a big fat war file which serves only web page (JSF) and there is an ad hoc requirement to expose few of them as a simple REST which requires the client certificate. If the  `client-auth-enabled=true` it will effect to the web page usage since the web browser have to provide their client certificate, too.

My idea is to make it as something like `client-auth-enabled=want` so that the web browser experience still be the same, while the new ad hoc simple REST will determine the existence of `req.getAttribute("javax.servlet.request.X509Certificate")` to ensure that the client  has sent their client certificate and it is trusted by the server already.

Sadly, my idea is invalid and I may have to create a new domain for deploying the copied of big fat war file to serve this ad hoc or find something else  like reverse proxy to help.

Regards,

Charlee Ch.

On Tuesday, August 10, 2021 at 2:06:16 PM UTC+7 Rudy De Busscher wrote:

Hi,

Payara doesn't have the option you describe and I'm not sure if having the Client Certificate as an optional requirement for a call is a good idea. How does the authorisation work when roles and groups can't be determined from the certificate? Why would you use a Client Certificate if the endpoint works fine without one?

Regards

Rudy

On Tuesday, 13 July 2021 at 14:04:49 UTC+2 wrote:

Hi,

I have just seen the Apache Tomcat provides more options for the `certificateVerification` [1], i.e. `required`, `none`,  `optional` and `optionalNoCA`.

Regarding to the `optional` and `optionalNoCA`, they are explained as the following: -

* Set to `optional` if you want the SSL stack to request a client Certificate, but not fail if one isn't presented. 

* Set to `optionalNoCA` if you want client certificates to be optional and you don't want Tomcat to check them against the list of trusted CAs.

I'm not sure if we may have something like these two values or not. Could you please help to advise?

Regards,

Charlee Ch.

[1] https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig

On Tuesday, July 13, 2021 at 1:15:26 PM UTC+7 Rudy De Busscher wrote:

Hi,

Can you explain more in detail what you like to achieve. What should happen when there is no client certificate? Should access to the application be granted?  And the Client Certification authentication itself doesn't allow this. A secured endpoint send out a challenge so that the client can send the certificate to the server. But access is denied when no certificate is provided (or it is invalid)

Regards

Rudy

[Rudy De Busscher]

Hi,

Are you already using the login-config element within web.xml to protect the JSF pages?

If not, you can define the Rest resources in a security constraint and define the Client certificate as login method.

Otherwise, you can only define 1 security method for an application, so mixing Form based and Client certificate authentication is not possible with Java EE / Jakarta EE.

You can work around this by creating a custom HttpAuthenticationMechanism (the Security API spec) and support your needs (but it will require some custom coding)

Regards

Rudy

[Charlee Chitsuk]

Hi,

Thank you very much for the advice. You saved my life.

I don't have any  login-config element within web.xml yet. To define the REST resources within the security-constraint together together with login-config will help me to solve this ad hoc issue.

Regards,

Charlee Ch

On Tuesday, August 10, 2021 at 6:02:57 PM UTC+7 Rudy De Busscher wrote:

Hi,

Are you already using the login-config element within web.xml to protect the JSF pages?

If not, you can define the Rest resources in a security constraint and define the Client certificate as login method.

Otherwise, you can only define 1 security method for an application, so mixing Form based and Client certificate authentication is not possible with Java EE / Jakarta EE.

You can work around this by creating a custom HttpAuthenticationMechanism (the Security API spec) and support your needs (but it will require some custom coding)

Regards

Rudy