Re: possible problem with CLIENT-CERT login and security constraint on TOMCAT 4.0
Shahed Ali wrote: Hi, This is slightly off the original post. But I want to do auth based on client certificates. However, I am using Tomcat 3.2.1 with Apache and Virtual Hosts.Also I have the tag in my server.xml. Now I remember reading people having problems passing a client cert fromapache to tomcat or something to that effect. Are there any examples out there that talk about how to set up client cert authwith Apache + Tomcat + acquiring a client cert + Becoming an issure of client certs. ThanksShahed. Tomcat 3.2.1 does not support *container-managed* security using the CLIENT-CERT method -- you need Tomcat 4.0 for that -- although you could implement your own security processing based on the contents of the client certificates. The certificate chain is supposed to be exposed to you (I don't recall the details of whether this works right for all web connectors or not) as a request attribute named "java.security.cert.X509Certificate", which will be an array of java.security.cert.X509Certificate objects. Craig McClanahan
Re: possible problem with CLIENT-CERT login and security constraint on TOMCAT 4.0
Hi, This is slightly off the original post. But I want to do auth based on client certificates. However, I am using Tomcat 3.2.1 with Apache and Virtual Hosts. Also I have the tag in my server.xml. Now I remember reading people having problems passing a client cert from apache to tomcat or something to that effect. Are there any examples out there that talk about how to set up client cert auth with Apache + Tomcat + acquiring a client cert + Becoming an issure of client certs. Thanks Shahed.
Re: possible problem with CLIENT-CERT login and security constraint on TOMCAT 4.0
[EMAIL PROTECTED] wrote: Hi, I try to configure TOMCAT server to authenticate client with certificate on HTTPS protocol. My connector is configure to accept request on 8443 port like this : port="8443" minProcessors="5" maxProcessors="75" acceptCount="10" debug="0" scheme="https" secure="true"> clientAuth="true" protocol="TLS" keystorePass="password1"/> My tomcat-user.xml file is configured with a new entry that match the getSubjectDN().getName() of client certificat used : I also uncomment the security constraint on my web.xml file like this The Entire Web Application /* tomcat CLIENT-CERT Tomcat Supported Realm An example role defined in "conf/tomcat-users.xml" tomcat My problem is when I try to connect on my tomcat serveur I have always the same message : HTTP Error 403 - Forbidden Possibly reasons : I try to compare BASIC authenticator and CLIENT-CERT authenticator. * BasicAuthenticator class register an MemoryRealmPrincipal object return by the MemoryRealm class * SSLAuthenticator class register an Principal object with is simply return by certs[0].getSubjectDN() method (and has no role associated) When I modified a little bit the SSLAuthenticator class to find on the MemoryRealm the MemoryRealmPrincipal associated with the username = certs[0].getSubjectDN().getName() ( with no password) that seems run better... Excuse me, if it's a know limitation, a bug already know or a bad settings ... Jérôme In order to use CLIENT-CERT authentication, you *must* set up a user in whatever Realm is used for authentication, with a username equal to certs[0].getSubjectDN(). This is needed for the following reasons: * To know that this is a valid user for *this* application, (not just that the certificate is valid) * To know what roles are assigned to this user for *this* application. If you are using the default Realm implementation, this means you must add an entry to $CATALINA_HOME/conf/tomcat-users.xml for this user. Craig McClanahan
possible problem with CLIENT-CERT login and security constraint on TOMCAT 4.0
Hi, I try to configure TOMCAT server to authenticate client with certificate on HTTPS protocol. My connector is configure to accept request on 8443 port like this : port="8443" minProcessors="5" maxProcessors="75" acceptCount="10" debug="0" scheme="https" secure="true"> clientAuth="true" protocol="TLS" keystorePass="password1"/> My tomcat-user.xml file is configured with a new entry that match the getSubjectDN().getName() of client certificat used : I also uncomment the security constraint on my web.xml file like this The Entire Web Application /* tomcat CLIENT-CERT Tomcat Supported Realm An example role defined in "conf/tomcat-users.xml" tomcat My problem is when I try to connect on my tomcat serveur I have always the same message : HTTP Error 403 - Forbidden Possibly reasons : I try to compare BASIC authenticator and CLIENT-CERT authenticator. * BasicAuthenticator class register an MemoryRealmPrincipal object return by the MemoryRealm class * SSLAuthenticator class register an Principal object with is simply return by certs[0].getSubjectDN() method (and has no role associated) When I modified a little bit the SSLAuthenticator class to find on the MemoryRealm the MemoryRealmPrincipal associated with the username = certs[0].getSubjectDN().getName() ( with no password) that seems run better... Excuse me, if it's a know limitation, a bug already know or a bad settings ... Jérôme
