subject:"Authentication"

Re: Tomcat SSL mutual authentication: Nobody's got a clue?

2003-03-26 Thread joe

hi dave,

please don't import every client certificate into your server 
truststore! that's why you can use a 'certification chain'. you create 
your own CA and import this CA into your truststore. you can find your 
trust store there: [jdk-home]/jre/lib/security/cacerts (the default 
password is: changeit)
then create a server certificate and sign it with your CA
don't forget to set the naming correct in your server ssl certificate:
What is your first and last name?
  [Unknown]:  www.mydomain.com

if you name it the wrong way the browser pops up a message to verify the 
server name.
then create your client certificates and sign them with your CA. (you 
don't need to import them into your truststore. you trust your 
truststore and all 'children' of it!)
you can export the CA certificate (make a .cer file) an import this into 
the browser.

here you find a good howto to create certification chains for FreeS/WAN.
in this howto you find everything you need (step-by-step) to use it with 
tomcat. just import the certs with the java keytool into the keystore 
and cacerts files.

i hope this helps!
cu,
joe
[EMAIL PROTECTED] wrote:

Joe,

I've also been trying to do this for ages. I assume you import the
client certificate into the server trustore. How does the server know where
to look for this truststore ?
	Thanks

Dave 

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: 26 March 2003 08:49
To: Tomcat Users List
Subject: Re: Tomcat SSL mutual authentication: Nobody's got a clue?
first of all: use jdk1.4.x !!! i found a bug in the old implementatin. 
if someone is interrested i can search in my archive to describe the bug.

here is how to patch the tomcat 4.1.x to handle to make client 
authentication 'optional':

in the java class:
org.apache.tomcat.util.net.jsse.JSSESocketFactory
you find 2 times this method call:
.setNeedClientAuth(clientAuth);
change this to:
.setWantClientAuth(clientAuth);
thats it!

and don't forget to change your server.xml:

   
   
   
  port="443" minProcessors="5" maxProcessors="75"
  enableLookups="true"
  acceptCount="100" debug="0" scheme="https" secure="true"
  useURIValidationHack="false" disableUploadTimeout="true">
 
  clientAuth="true" protocol="TLS"
  keystoreFile="/root/certs/java.concrete-it.com.keystore"
  keystorePass="changeit" />
   

here is my link collection for ssl:
http://www-106.ibm.com/developerworks/java/library/j-customssl/sidebar.html
http://developer.java.sun.com/developer/qow/archive/169/index.jsp
http://www.catgen.com/developer/manual/ssl.html#jbosscatalina
you can find a lot of howtos how to make your own CA , server cert and 
client certs.

hope this helps,
joe
joe wrote:

 

hi,

it's true that there is no 'step-by-step' howto for tomcat, but there 
are many other ssl (and client auth) howtos which you can use for tomcat.
the only thing is just a little bit of searching and reading about 
ssl, CA, X509 certificates, certification chains ...

i have succesfully established ssl connections with (mutual) client 
certificates. i'll try to find the howto's i've used and post it here 
(i hope i'll find them again).
i haven't used CRL's - i'm sure there are howtos 'out there'.

and: it's true that tomcat does NOT support mutual client auth ! but 
i've read a little bit of the doc's and the source code and pathed my 
tomcat 4.1.x to change the ssl client auth behavior to mutual.

cu, joe

Mark Liu wrote:

   

Hi,

No, the Tomcat docs only says how to turn on the
*server* authentication, i.e., how to run Tomcat in
SSL mode.  It does not mention how to have the client
also pass over its certificate to the Web server.
You have an idea about how to turn on client cert?

--- Norris Shelton <[EMAIL PROTECTED]> wrote:

 

That about sums it up.  We are looking at client
certs also. The Tomcat docs say how to turn on client
authentication, but
there is not much out there on hooking up to a CA
and verifying
against a CRL. 
All of that is beyond the scope of this list and
dives deep into
the realm of JCE.

We are looking into going with a vendor (probably
VeriSign).
--- Mark Liu <[EMAIL PROTECTED]> wrote:
 

   

For over 1 week, I've been exploring about this. 
 

So
 

   

far, I got no reply.  Is this so professional, so
tough that nobody's got a clue?
__
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness,
   
 

live on your
 

   

desktop!
http://platinum.yahoo.com
   
 

-

RE: Tomcat SSL mutual authentication: Nobody's got a clue?

2003-03-26 Thread dave . prout

Joe,

I've also been trying to do this for ages. I assume you import the
client certificate into the server trustore. How does the server know where
to look for this truststore ?

Thanks

Dave 


-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: 26 March 2003 08:49
To: Tomcat Users List
Subject: Re: Tomcat SSL mutual authentication: Nobody's got a clue?


first of all: use jdk1.4.x !!! i found a bug in the old implementatin. 
if someone is interrested i can search in my archive to describe the bug.

here is how to patch the tomcat 4.1.x to handle to make client 
authentication 'optional':

in the java class:
org.apache.tomcat.util.net.jsse.JSSESocketFactory

you find 2 times this method call:
.setNeedClientAuth(clientAuth);
change this to:
.setWantClientAuth(clientAuth);

thats it!

and don't forget to change your server.xml:




  



here is my link collection for ssl:
http://www-106.ibm.com/developerworks/java/library/j-customssl/sidebar.html
http://developer.java.sun.com/developer/qow/archive/169/index.jsp
http://www.catgen.com/developer/manual/ssl.html#jbosscatalina

you can find a lot of howtos how to make your own CA , server cert and 
client certs.

hope this helps,
joe

joe wrote:

> hi,
>
> it's true that there is no 'step-by-step' howto for tomcat, but there 
> are many other ssl (and client auth) howtos which you can use for tomcat.
> the only thing is just a little bit of searching and reading about 
> ssl, CA, X509 certificates, certification chains ...
>
> i have succesfully established ssl connections with (mutual) client 
> certificates. i'll try to find the howto's i've used and post it here 
> (i hope i'll find them again).
> i haven't used CRL's - i'm sure there are howtos 'out there'.
>
> and: it's true that tomcat does NOT support mutual client auth ! but 
> i've read a little bit of the doc's and the source code and pathed my 
> tomcat 4.1.x to change the ssl client auth behavior to mutual.
>
> cu, joe
>
> Mark Liu wrote:
>
>> Hi,
>>
>> No, the Tomcat docs only says how to turn on the
>> *server* authentication, i.e., how to run Tomcat in
>> SSL mode.  It does not mention how to have the client
>> also pass over its certificate to the Web server.
>>
>> You have an idea about how to turn on client cert?
>>
>> --- Norris Shelton <[EMAIL PROTECTED]> wrote:
>>  
>>
>>> That about sums it up.  We are looking at client
>>> certs also. The Tomcat docs say how to turn on client
>>> authentication, but
>>> there is not much out there on hooking up to a CA
>>> and verifying
>>> against a CRL. 
>>> All of that is beyond the scope of this list and
>>> dives deep into
>>> the realm of JCE.
>>>
>>> We are looking into going with a vendor (probably
>>> VeriSign).
>>>
>>>
>>> --- Mark Liu <[EMAIL PROTECTED]> wrote:
>>>   
>>>
>>>> For over 1 week, I've been exploring about this. 
>>>
>>> So
>>>   
>>>
>>>> far, I got no reply.  Is this so professional, so
>>>> tough that nobody's got a clue?
>>>>
>>>> __
>>>> Do you Yahoo!?
>>>> Yahoo! Platinum - Watch CBS' NCAA March Madness,
>>>> 
>>>
>>> live on your
>>>   
>>>
>>>> desktop!
>>>> http://platinum.yahoo.com
>>>>
>>>>
>>>> 
>>>
>> -
>>  
>>
>>>> To unsubscribe, e-mail:
>>>> [EMAIL PROTECTED]
>>>> For additional commands, e-mail:
>>>> [EMAIL PROTECTED]
>>>>
>>>> 
>>>
>>> =
>>>
>>> Norris Shelton
>>> Software Engineer
>>> Sun Certified Java 1.1 Programmer
>>> Appriss, Inc.
>>> ICQ# 26487421
>>> AIM NorrisEShelton
>>> YIM norrisshelton
>>>
>>>
>>> __
>>> Do you Yahoo!?
>>> Yahoo! Platinum - Watch CBS' NCAA March Madness,
>>> live on your desktop!
>>> http://platinum.yahoo.com
>>>
>>>
>>>   
>>
>> -
>>  
>>
>>> To unsubscribe, e-mail:
>>> [EMAIL PROTECTED]
>>> For additional commands, e-mail:
>>> [EMAIL PROTECTED]
>>>
>>>   
>>
>>
>>
>> __
>> Do you Yahoo!?
>> Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
>> http://platinum.yahoo.com
>>
>> -
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>>  
>>
>
>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat SSL mutual authentication: Nobody's got a clue?

2003-03-26 Thread joe

first of all: use jdk1.4.x !!! i found a bug in the old implementatin. 
if someone is interrested i can search in my archive to describe the bug.

here is how to patch the tomcat 4.1.x to handle to make client 
authentication 'optional':

in the java class:
org.apache.tomcat.util.net.jsse.JSSESocketFactory
you find 2 times this method call:
.setNeedClientAuth(clientAuth);
change this to:
.setWantClientAuth(clientAuth);
thats it!

and don't forget to change your server.xml:

   
   
   
  port="443" minProcessors="5" maxProcessors="75"
  enableLookups="true"
  acceptCount="100" debug="0" scheme="https" secure="true"
  useURIValidationHack="false" disableUploadTimeout="true">
 
  clientAuth="true" protocol="TLS"
  keystoreFile="/root/certs/java.concrete-it.com.keystore"
  keystorePass="changeit" />
   

here is my link collection for ssl:
http://www-106.ibm.com/developerworks/java/library/j-customssl/sidebar.html
http://developer.java.sun.com/developer/qow/archive/169/index.jsp
http://www.catgen.com/developer/manual/ssl.html#jbosscatalina
you can find a lot of howtos how to make your own CA , server cert and 
client certs.

hope this helps,
joe
joe wrote:

hi,

it's true that there is no 'step-by-step' howto for tomcat, but there 
are many other ssl (and client auth) howtos which you can use for tomcat.
the only thing is just a little bit of searching and reading about 
ssl, CA, X509 certificates, certification chains ...

i have succesfully established ssl connections with (mutual) client 
certificates. i'll try to find the howto's i've used and post it here 
(i hope i'll find them again).
i haven't used CRL's - i'm sure there are howtos 'out there'.

and: it's true that tomcat does NOT support mutual client auth ! but 
i've read a little bit of the doc's and the source code and pathed my 
tomcat 4.1.x to change the ssl client auth behavior to mutual.

cu, joe

Mark Liu wrote:

Hi,

No, the Tomcat docs only says how to turn on the
*server* authentication, i.e., how to run Tomcat in
SSL mode.  It does not mention how to have the client
also pass over its certificate to the Web server.
You have an idea about how to turn on client cert?

--- Norris Shelton <[EMAIL PROTECTED]> wrote:
 

That about sums it up.  We are looking at client
certs also. The Tomcat docs say how to turn on client
authentication, but
there is not much out there on hooking up to a CA
and verifying
against a CRL. 
All of that is beyond the scope of this list and
dives deep into
the realm of JCE.

We are looking into going with a vendor (probably
VeriSign).
--- Mark Liu <[EMAIL PROTECTED]> wrote:
  

For over 1 week, I've been exploring about this. 
So
  

far, I got no reply.  Is this so professional, so
tough that nobody's got a clue?
__
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness,

live on your
  

desktop!
http://platinum.yahoo.com


-
 

To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]

=

Norris Shelton
Software Engineer
Sun Certified Java 1.1 Programmer
Appriss, Inc.
ICQ# 26487421
AIM NorrisEShelton
YIM norrisshelton
__
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness,
live on your desktop!
http://platinum.yahoo.com
  
-
 

To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
  


__
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat SSL mutual authentication: Nobody's got a clue?

2003-03-26 Thread joe

hi,

it's true that there is no 'step-by-step' howto for tomcat, but there 
are many other ssl (and client auth) howtos which you can use for tomcat.
the only thing is just a little bit of searching and reading about ssl, 
CA, X509 certificates, certification chains ...

i have succesfully established ssl connections with (mutual) client 
certificates. i'll try to find the howto's i've used and post it here (i 
hope i'll find them again).
i haven't used CRL's - i'm sure there are howtos 'out there'.

and: it's true that tomcat does NOT support mutual client auth ! but 
i've read a little bit of the doc's and the source code and pathed my 
tomcat 4.1.x to change the ssl client auth behavior to mutual.

cu, joe

Mark Liu wrote:

Hi,

No, the Tomcat docs only says how to turn on the
*server* authentication, i.e., how to run Tomcat in
SSL mode.  It does not mention how to have the client
also pass over its certificate to the Web server.
You have an idea about how to turn on client cert?

--- Norris Shelton <[EMAIL PROTECTED]> wrote:
 

That about sums it up.  We are looking at client
certs also. 
The Tomcat docs say how to turn on client
authentication, but
there is not much out there on hooking up to a CA
and verifying
against a CRL.  

All of that is beyond the scope of this list and
dives deep into
the realm of JCE.
We are looking into going with a vendor (probably
VeriSign).
--- Mark Liu <[EMAIL PROTECTED]> wrote:
   

For over 1 week, I've been exploring about this. 
 

So
   

far, I got no reply.  Is this so professional, so
tough that nobody's got a clue?
__
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness,
 

live on your
   

desktop!
http://platinum.yahoo.com
 

-
 

To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
 

=

Norris Shelton
Software Engineer
Sun Certified Java 1.1 Programmer
Appriss, Inc.
ICQ# 26487421
AIM NorrisEShelton
YIM norrisshelton
__
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness,
live on your desktop!
http://platinum.yahoo.com
   

-
 

To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
   



__
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat SSL mutual authentication: Nobody's got a clue?

2003-03-25 Thread Mark Liu

Hi,

No, the Tomcat docs only says how to turn on the
*server* authentication, i.e., how to run Tomcat in
SSL mode.  It does not mention how to have the client
also pass over its certificate to the Web server.

You have an idea about how to turn on client cert?

--- Norris Shelton <[EMAIL PROTECTED]> wrote:
> That about sums it up.  We are looking at client
> certs also. 
> The Tomcat docs say how to turn on client
> authentication, but
> there is not much out there on hooking up to a CA
> and verifying
> against a CRL.  
> 
> All of that is beyond the scope of this list and
> dives deep into
> the realm of JCE.
> 
> We are looking into going with a vendor (probably
> VeriSign).
> 
> 
> --- Mark Liu <[EMAIL PROTECTED]> wrote:
> > For over 1 week, I've been exploring about this. 
> So
> > far, I got no reply.  Is this so professional, so
> > tough that nobody's got a clue?
> > 
> > __
> > Do you Yahoo!?
> > Yahoo! Platinum - Watch CBS' NCAA March Madness,
> live on your
> > desktop!
> > http://platinum.yahoo.com
> > 
> >
>
-
> > To unsubscribe, e-mail:
> > [EMAIL PROTECTED]
> > For additional commands, e-mail:
> > [EMAIL PROTECTED]
> > 
> 
> 
> =
> 
> Norris Shelton
> Software Engineer
> Sun Certified Java 1.1 Programmer
> Appriss, Inc.
> ICQ# 26487421
> AIM NorrisEShelton
> YIM norrisshelton
> 
> 
> __
> Do you Yahoo!?
> Yahoo! Platinum - Watch CBS' NCAA March Madness,
> live on your desktop!
> http://platinum.yahoo.com
> 
>
-
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
> 


__
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat SSL mutual authentication: Nobody's got a clue?

2003-03-25 Thread Norris Shelton

That about sums it up.  We are looking at client certs also. 
The Tomcat docs say how to turn on client authentication, but
there is not much out there on hooking up to a CA and verifying
against a CRL.  

All of that is beyond the scope of this list and dives deep into
the realm of JCE.

We are looking into going with a vendor (probably VeriSign).

--- Mark Liu <[EMAIL PROTECTED]> wrote:
> For over 1 week, I've been exploring about this.  So
> far, I got no reply.  Is this so professional, so
> tough that nobody's got a clue?
> 
> __
> Do you Yahoo!?
> Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your
> desktop!
> http://platinum.yahoo.com
> 
>
-
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
> 

=

Norris Shelton
Software Engineer
Sun Certified Java 1.1 Programmer
Appriss, Inc.
ICQ# 26487421
AIM NorrisEShelton
YIM norrisshelton

__
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Tomcat SSL mutual authentication: Nobody's got a clue?

2003-03-25 Thread Mark Liu

For over 1 week, I've been exploring about this.  So
far, I got no reply.  Is this so professional, so
tough that nobody's got a clue?

__
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Basic authentication question

2003-03-25 Thread Koes, Derrick


Sorry, it is a protected resource and I want to continue to use basic
authentication, not form authentication.  I still don't see a way around the
problem.

The relevant part of my web.xml:



  dora
  /index.jsp
  GET
  POST


  1
  2
  3

  
  
BASIC
DORA
  

-Original Message-
From: Boon Seong [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, March 25, 2003 5:37 PM
To: Tomcat Users List
Subject: Re: Basic authentication question

In that case, meaning it is a protected resource right ? Maybe u can try
using
the container's security feature such as putting this configuration in your
web application's web.xml file.



  admin page
  /admin/*




FORM

  /admin/login.jsp
  /admin/error.jsp

 

- Original Message -
From: "Koes, Derrick" <[EMAIL PROTECTED]>
To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
Sent: Tuesday, March 25, 2003 6:31 PM
Subject: RE: Basic authentication question


>
> Unfortunately, this does not work.
> Tomcat seems to use 401 as a prompt to put up the basic auth login dialog.
> If you add the configuration below, it goes to this page first without
ever
> prompting for user login.
>
> Do you have any other suggestions?
>
> Thanks,
> Derrick
>
>
>
> -Original Message-
> From: Boon Seong [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, March 25, 2003 5:27 PM
> To: Tomcat Users List
> Subject: Re: Basic authentication question
>
> add this to the web.xml
>
> 
> 401
> /errorpage.jsp
>   
>
> - Original Message -
> From: "Koes, Derrick" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, March 25, 2003 6:22 PM
> Subject: Basic authentication question
>
>
> >
> > I wish to replace tomcat's 401 error page with something more elegant
and
> > specific to my web app.  How can I do this?
> >
> > Thanks,
> > Derrick
> >
> >
> >
> > This electronic transmission is strictly confidential to Smith & Nephew
> and
> > intended solely for the addressee.  It may contain information which is
> > covered by legal, professional or other privilege.  If you are not the
> > intended addressee, or someone authorized by the intended addressee to
> > receive transmissions on behalf of the addressee, you must not retain,
> > disclose in any form, copy or take any action in reliance on this
> > transmission.  If you have received this transmission in error, please
> > notify the sender as soon as possible and destroy this message.
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> This electronic transmission is strictly confidential to Smith & Nephew
and
> intended solely for the addressee.  It may contain information which is
> covered by legal, professional or other privilege.  If you are not the
> intended addressee, or someone authorized by the intended addressee to
> receive transmissions on behalf of the addressee, you must not retain,
> disclose in any form, copy or take any action in reliance on this
> transmission.  If you have received this transmission in error, please
> notify the sender as soon as possible and destroy this message.
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
This electronic transmission is strictly confidential to Smith & Nephew and
intended solely for the addressee.  It may contain information which is
covered by legal, professional or other privilege.  If you are not the
intended addressee, or someone authorized by the intended addressee to
receive transmissions on behalf of the addressee, you must not retain,
disclose in any form, copy or take any action in reliance on this
transmission.  If you have received this transmission in error, please
notify the sender as soon as possible and destroy this message.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Basic authentication question

2003-03-25 Thread Boon Seong

In that case, meaning it is a protected resource right ? Maybe u can try
using
the container's security feature such as putting this configuration in your
web application's web.xml file.



  admin page
  /admin/*




FORM

  /admin/login.jsp
  /admin/error.jsp

 

- Original Message -
From: "Koes, Derrick" <[EMAIL PROTECTED]>
To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
Sent: Tuesday, March 25, 2003 6:31 PM
Subject: RE: Basic authentication question


>
> Unfortunately, this does not work.
> Tomcat seems to use 401 as a prompt to put up the basic auth login dialog.
> If you add the configuration below, it goes to this page first without
ever
> prompting for user login.
>
> Do you have any other suggestions?
>
> Thanks,
> Derrick
>
>
>
> -Original Message-
> From: Boon Seong [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, March 25, 2003 5:27 PM
> To: Tomcat Users List
> Subject: Re: Basic authentication question
>
> add this to the web.xml
>
> 
> 401
> /errorpage.jsp
>   
>
> - Original Message -
> From: "Koes, Derrick" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, March 25, 2003 6:22 PM
> Subject: Basic authentication question
>
>
> >
> > I wish to replace tomcat's 401 error page with something more elegant
and
> > specific to my web app.  How can I do this?
> >
> > Thanks,
> > Derrick
> >
> >
> >
> > This electronic transmission is strictly confidential to Smith & Nephew
> and
> > intended solely for the addressee.  It may contain information which is
> > covered by legal, professional or other privilege.  If you are not the
> > intended addressee, or someone authorized by the intended addressee to
> > receive transmissions on behalf of the addressee, you must not retain,
> > disclose in any form, copy or take any action in reliance on this
> > transmission.  If you have received this transmission in error, please
> > notify the sender as soon as possible and destroy this message.
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> This electronic transmission is strictly confidential to Smith & Nephew
and
> intended solely for the addressee.  It may contain information which is
> covered by legal, professional or other privilege.  If you are not the
> intended addressee, or someone authorized by the intended addressee to
> receive transmissions on behalf of the addressee, you must not retain,
> disclose in any form, copy or take any action in reliance on this
> transmission.  If you have received this transmission in error, please
> notify the sender as soon as possible and destroy this message.
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Basic authentication question

2003-03-25 Thread Koes, Derrick


Unfortunately, this does not work.
Tomcat seems to use 401 as a prompt to put up the basic auth login dialog.
If you add the configuration below, it goes to this page first without ever
prompting for user login.

Do you have any other suggestions?

Thanks,
Derrick



-Original Message-
From: Boon Seong [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, March 25, 2003 5:27 PM
To: Tomcat Users List
Subject: Re: Basic authentication question

add this to the web.xml


401
/errorpage.jsp
  

- Original Message -
From: "Koes, Derrick" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, March 25, 2003 6:22 PM
Subject: Basic authentication question


>
> I wish to replace tomcat's 401 error page with something more elegant and
> specific to my web app.  How can I do this?
>
> Thanks,
> Derrick
>
>
>
> This electronic transmission is strictly confidential to Smith & Nephew
and
> intended solely for the addressee.  It may contain information which is
> covered by legal, professional or other privilege.  If you are not the
> intended addressee, or someone authorized by the intended addressee to
> receive transmissions on behalf of the addressee, you must not retain,
> disclose in any form, copy or take any action in reliance on this
> transmission.  If you have received this transmission in error, please
> notify the sender as soon as possible and destroy this message.
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
This electronic transmission is strictly confidential to Smith & Nephew and
intended solely for the addressee.  It may contain information which is
covered by legal, professional or other privilege.  If you are not the
intended addressee, or someone authorized by the intended addressee to
receive transmissions on behalf of the addressee, you must not retain,
disclose in any form, copy or take any action in reliance on this
transmission.  If you have received this transmission in error, please
notify the sender as soon as possible and destroy this message.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Basic authentication question

2003-03-25 Thread Boon Seong

add this to the web.xml


401
/errorpage.jsp
  

- Original Message -
From: "Koes, Derrick" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, March 25, 2003 6:22 PM
Subject: Basic authentication question


>
> I wish to replace tomcat's 401 error page with something more elegant and
> specific to my web app.  How can I do this?
>
> Thanks,
> Derrick
>
>
>
> This electronic transmission is strictly confidential to Smith & Nephew
and
> intended solely for the addressee.  It may contain information which is
> covered by legal, professional or other privilege.  If you are not the
> intended addressee, or someone authorized by the intended addressee to
> receive transmissions on behalf of the addressee, you must not retain,
> disclose in any form, copy or take any action in reliance on this
> transmission.  If you have received this transmission in error, please
> notify the sender as soon as possible and destroy this message.
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Basic authentication question

2003-03-25 Thread Koes, Derrick


I wish to replace tomcat's 401 error page with something more elegant and
specific to my web app.  How can I do this?

Thanks,
Derrick



This electronic transmission is strictly confidential to Smith & Nephew and
intended solely for the addressee.  It may contain information which is
covered by legal, professional or other privilege.  If you are not the
intended addressee, or someone authorized by the intended addressee to
receive transmissions on behalf of the addressee, you must not retain,
disclose in any form, copy or take any action in reliance on this
transmission.  If you have received this transmission in error, please
notify the sender as soon as possible and destroy this message.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DIGEST authentication!

2003-03-25 Thread Uwe Klosa

Hi,

I'm using Tomcat 4.1.18, Apache 1.3.27 and mod_jk as the connector. I want
to implement DIGEST authentication on tomcat. I implemented already the
BASIC authentication which is working fine. But if I want to change to
DIGEST it doesn't work anymore.

This is the contents of my web.xml




test
/servlet/*


admin


NONE



DIGEST


admin


I also changed the passwords in tomcat-user.xml to their digest
representations and added digest="MD5" to the  in the server.xml.

But it doesn't work. Any ideas? 

Regards,
Uwe


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

catching the forwarded address after authentication

2003-03-25 Thread Riyaz Mansoor


hi

after a tomcat authentication tomcat forwards the user to the page which
initially requested for the authentication.

but i want to forward all users to a certain page from where the user can
choose to do whatever they want regardless of the page which requested the
authentication. how can i do this?

how/where does tomcat store the address of the page that requested the
authentication so that i may change that. or perhaps there's another way?

thanx for any help

riyaz


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Does Tomcat SSL support dual authentication?

2003-03-24 Thread Mark Liu

I am running tomcat 4.1.18 in SSL mode on a Win2K
system.

And my Web server wants to parse the client's
certificate.

How can I configure Tomcat SSL to request the clientto
send its certificate?

Thanks.



__
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Windows 2000 Authentication Integration

2003-03-24 Thread Hans Liebenberg

Hi ,

Thanks for the help.
Correct if i am wrong ,but getRemoteUser() simply returns the REMOTE_USER
cgi header. In windows 2000 which uses kerberos authentication that value is
set to null when IIS is set to use NT authentication?

I was under the impression that I would need to somehow decode the token

Negotiate
TlRMTVNTUAADGAAYAFgYABgAcAgACABACAAIAEgIAAgAUACI
BYKAoFMATwBMAE8ASABhAG4AcwBTAE8ATABPAJ2pRGfJ0YtxkZH3SSUlrorf0IhAO24Dnzc7
ioGGMJ8o7bSHEZ9M28GKpQosqYHjnA

And then access the active directory...??

Thanks




-Original Message-
From: Jacob Kjome [mailto:[EMAIL PROTECTED]
Sent: 24 March 2003 06:30
To: Tomcat Users List
Subject: Re: Windows 2000 Authentication Integration



You should be able to get it via request.getRemoteUser().  However, note
that when using the JK connectors, you will have to tell Tomcat whether it
should get the remote user from the JK environment or from within
Tomcat.  When using Tomcat with Apache, that is done via adding the
following to the jk2.properties file...


request.tomcatAuthentication=false

I believe this will also work for the IIS connector.

See this resolved bug for
details...http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12196

Jake

At 02:50 PM 3/24/2003 -0800, you wrote:
>Hi,
>
>I have searched the archives and have not managed to find a decent answer
>for this.
>The users of an intranet are already logged into the windows domain.
>I need to retrieve the currently logged in user name from my java web
>application.
>
>1) I am integrating IIS and tomcat using the isapi redirector.
>2) using IIS 5.0 and Windows 2000 Server
>3) I have set the IIS security to NT Authentication.
>
>
>The response variable that gets set is
>
>"authenticate"
>
>with a value of
>
>TlRMTVNTUAADGAAYAFgYABgAcAgACABACAAIAEgIAAgAUAC
I
>BYKAoFMATwBMAE8ASABhAG4AcwBTAE8ATABPAOgkx0G8QbgJhRZRc0xo40R8cUWsA6X0SQ9
M
>cj7FIOa2dRLjARCYlxSI3eGrqD12jW
>
>I assume this is some kind of base 64 encoded token which i need to use to
>get the user details from the windows 2000 active directory???
>
>Has anyone got any idea how I retrieve the logged in username.
>
>Thanks
>
>Hans
>
>
>
>
>
>
>
>
>-
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Windows 2000 Authentication Integration

2003-03-24 Thread Jacob Kjome

You should be able to get it via request.getRemoteUser().  However, note 
that when using the JK connectors, you will have to tell Tomcat whether it 
should get the remote user from the JK environment or from within 
Tomcat.  When using Tomcat with Apache, that is done via adding the 
following to the jk2.properties file...

request.tomcatAuthentication=false

I believe this will also work for the IIS connector.

See this resolved bug for 
details...http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12196

Jake

At 02:50 PM 3/24/2003 -0800, you wrote:
Hi,

I have searched the archives and have not managed to find a decent answer
for this.
The users of an intranet are already logged into the windows domain.
I need to retrieve the currently logged in user name from my java web
application.
1) I am integrating IIS and tomcat using the isapi redirector.
2) using IIS 5.0 and Windows 2000 Server
3) I have set the IIS security to NT Authentication.
The response variable that gets set is

"authenticate"

with a value of

TlRMTVNTUAADGAAYAFgYABgAcAgACABACAAIAEgIAAgAUACI
BYKAoFMATwBMAE8ASABhAG4AcwBTAE8ATABPAOgkx0G8QbgJhRZRc0xo40R8cUWsA6X0SQ9M
cj7FIOa2dRLjARCYlxSI3eGrqD12jW
I assume this is some kind of base 64 encoded token which i need to use to
get the user details from the windows 2000 active directory???
Has anyone got any idea how I retrieve the logged in username.

Thanks

Hans







-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Windows 2000 Authentication Integration

2003-03-24 Thread Hans Liebenberg

Hi,

I have searched the archives and have not managed to find a decent answer
for this.
The users of an intranet are already logged into the windows domain.
I need to retrieve the currently logged in user name from my java web
application.

1) I am integrating IIS and tomcat using the isapi redirector.
2) using IIS 5.0 and Windows 2000 Server
3) I have set the IIS security to NT Authentication.


The response variable that gets set is

"authenticate"

with a value of

TlRMTVNTUAADGAAYAFgYABgAcAgACABACAAIAEgIAAgAUACI
BYKAoFMATwBMAE8ASABhAG4AcwBTAE8ATABPAOgkx0G8QbgJhRZRc0xo40R8cUWsA6X0SQ9M
cj7FIOa2dRLjARCYlxSI3eGrqD12jW

I assume this is some kind of base 64 encoded token which i need to use to
get the user details from the windows 2000 active directory???

Has anyone got any idea how I retrieve the logged in username.

Thanks

Hans








-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Authentication with Tomcat/Apache Question

2003-03-21 Thread Mete Kural

Hi,

I am perplexed at this interesting problem. We want to use JDBCRealm to authenticate 
users in Tomcat, but yet we want to serve static stuff via Apache to improve 
performance. If we set up Tomcat as a worker for Apache using the JK2 connector, I 
don't see how requests for static files are going to be authenticated via JDBCRealm, 
since Tomcat doesn't even know about these static requests in the first place due to 
the fact that Apache handles them right away without dispatching them to Tomcat. I'm 
thinking that if we could somehow set up Apache to be a worker for Tomcat, and Tomcat 
received all requests and dispatched those that are static to Apache, then all 
requests would be authenticated via JDBCRealm. But I don't know how to do that neither 
if this is possible at all. Do you have any ideas on how to authenticate "every 
request" with JDBCRealm yet serve only static stuff with Apache.

Thanks,
Mete


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Form based authentication and sessions

2003-03-21 Thread Carl Maib

hello all,
i am having trouble getting form based authentication working the way i would like. as 
suggested by several threads in this group, i am trying to override the authenticate 
of the FormAuthenticator so that i can set session data appropriately.

the problem i am having is that i am unable to get this to build and link as described 
in the examples. a quick summary of what i am trying to do can be found at 
http://tomcat.mslinn.com/tomcat/realms.html (see bottom of the page for tomcat 4.x).

i believe my problem is that i am not quite sure how to best link into use tomcat's 
native classes. i am not even sure if this is allowed, given the tomcat4 docs indicate 
catalina.jar classes are invisible to web apps, as mentioned below. 

Catalina - This class loader is initialized to include all classes and resources 
required to implement Tomcat 4 itself. These classes and resources are TOTALLY 
invisible to web applications. All unpacked classes and resources in 
$CATALINA_HOME/server/classes, as well as classes and resources in JAR files under 
$CATALINA_HOME/server/lib, are made visible through this class loader. 

so, if they are invisible to webapps, are you not suppose to use them? if allowed, how 
can you get to them?

can someone point me in the right direction, as far as how best to get rid of compile 
time errors (e.g. unknown symbol HttpRequest) and runtime errors which include class 
loader exceptions for FormAuthenticator (tomcat class).

any help would be greatly appreciated!

thanks...

Error page when user cancel the certificate authentication

2003-03-17 Thread mgp2

Hi

I have a JNDIRealm with certificate authentication. When the user cancel the 
authentication he see a error page: Cancelled Action.

How can I include my own error page when the user cancel the certificate 
authentication??

Regards.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat can't do client certificate authentication

2003-03-17 Thread mgp2

Correct. Tomcat can't do client authentication. For this, you have to implement 
a Realm (JDBCRealm, JNDIRealm, etc) and you realize the authentication.

See http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html

-
At 08:52 17/03/2003 +, you wrote:

I've been trying to do this for the last two weeks. There is no
documentation on it (the SSLHowto only describes HTTPS). So I have to
conclude that Tomcat can't do client certs, so we can't use it. Is this
correct ?
 
Dave


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Tomcat can't do client certificate authentication

2003-03-17 Thread dave . prout

I've been trying to do this for the last two weeks. There is no
documentation on it (the SSLHowto only describes HTTPS). So I have to
conclude that Tomcat can't do client certs, so we can't use it. Is this
correct ?
 
Dave

-Original Message- 
From: [EMAIL PROTECTED] 
Sent: Fri 07/03/2003 20:08 
To: [EMAIL PROTECTED] 
Cc: 
Subject: Can Tomcat do client certificate authentication ?



Within our company we've decided to use client certificates for security. 
I've spent all week trying to get this working on Tomcat. If the client and 
server are on the same machine it's easy. But how do I do it if the client 
is on a different machine ? I can get SSL working on HTTPS no problem, but 
client certificates ? No way. 
  
If we can't find an answer we'll have to ban the use of Tomcat in our 
company for any serious work. 
  
Dave 

- 
To unsubscribe, e-mail: [EMAIL PROTECTED] 
For additional commands, e-mail: [EMAIL PROTECTED] 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Tomcat/Apache 2-way SSL authentication

2003-03-14 Thread Ramsay Domloge

Hey All,

I am currently building a PKI bolt-on for an exisiting insecure web 
application and have run into trouble at the last hurdle. I have written 
a CA using BouncyCastle's library with JCE which will be used to create 
certificates to gain entry to certain restricted areas.

I am using Apache 2.0.44 (Slackware 8) mod_ssl 2.0.44 (OpenSSL 0.9.6d) 
mod_jk 1.2.2 with Tomcat 4.1.18, and JDK 1.4.1

When I try and access a restricted area, I am prevented, as expected. I 
then build my self a certificate and attempt to access the same area and 
I am let in with the usual warnings about self-signed certificates.  My 
problem occurs when I set "SSLOptions +StdEnvVars +ExportCertData" in 
httpd.conf. I do this so that I can access the certificate in a servlet 
that sits behind in Tomcat which needs to do some further processing 
with the certificate.

Catalina throws an exception:

Mar 14, 2003 12:40:58 PM org.apache.jk.server.JkCoyoteHandler action
SEVERE: Certificate convertion failed
java.security.cert.CertificateException: Unable to initialize, 
java.io.IOException: DerInputStream.getLength(): lengthTag=62, too big.
   at sun.security.x509.X509CertImpl.(X509CertImpl.java:289)
   at 
sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:94)
   at 
java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:389)
   at 
org.apache.jk.server.JkCoyoteHandler.action(JkCoyoteHandler.java:395)
   at org.apache.coyote.Response.action(Response.java:222)
   at 
org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:310)
   at 
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
   at 
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:261)
   at 
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360)
   at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:632)
   at 
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:590)
   at 
org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:707)
   at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:530)
   at java.lang.Thread.run(Thread.java:536)
Caused by: java.io.IOException: DerInputStream.getLength(): 
lengthTag=62, too big.
   at 
sun.security.util.DerInputStream.getLength(DerInputStream.java:502)
   at 
sun.security.util.DerInputStream.getLength(DerInputStream.java:476)
   at sun.security.util.DerValue.(DerValue.java:233)
   at 
sun.security.util.DerInputStream.getDerValue(DerInputStream.java:358)
   at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1608)
   at sun.security.x509.X509CertImpl.(X509CertImpl.java:286)
   ... 13 more

Apache seems OK (no error in error_log or catalina_log) and  I seem to 
go through the authentication process OK. I have no idea what this error 
means, since my only theory that the browser cert is invalid cannot be 
true if mod_ssl accepts it... or can it?

Any help would be appreciated - thanks for your patience.

Ramsay

   

   
   A R K E M E D I A   T E C H N O L O G I E S   L T D 
   
  VIEW POINTBASING VIEWBASINGSTOKEHAMPSHIRERG21 4HG
   
 http://www.arkemedia.com  
   
mailto:[EMAIL PROTECTED]  
   
Tel : +44 1256 869 200  Fax : +44 1256 329 119 
   

   
The information in this e-mail and in any attachments is confidential and  
is intended solely for the attention and use of the named addressee(s).
   

   
If you are not the intended recipient, or a person responsible for passing 
it on to the intended recipient, you are not authorised to hold a copy of  
this information and you must therefore not disclose, copy, distribute, or 
retain this message or any part of it. MAILTO:[EMAIL PROTECTED]

Authentication in apache-tomcat

2003-03-14 Thread Marc Nothum


Hello,


I'm using tomcat as an in-process servlet-engine in an apache server.
Everything works fine execpt the authentication. I've configured the
authentication to do Access-control based on the system-users and
passwords. This works fine for static pages, served by appache, but the
access control is ignored by the dynamic pages served by tomcat.

I read some documentation saying, that one should add the directive
tomcatAuthentication="false" in the Ajp13Connector, but in my
configuration, there is no Ajp1xConnector, probably, because of the
in-process configuration.

The connector, in server.xml is : , but adding the
tomcatAuthentication="false" directive here has no effect.

I'm running apache and tomcat on an iSeries (AS400, OS400).


Thanks in advance,

  Marc Nothum


--

Electronic information is not secure, therefore the Entreprise des Postes
et
Telecommunications accepts no responsibility whatsoever for the contents of
this
message, which is intended for the addressee only. Its contents and any
attached files are strictly confidential. If you have received this message
in
error, please telephone the following number 4765-1.



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: JK + client authentication: getRemoteUser() returns null

2003-03-13 Thread Mayne, Peter

Title: RE: JK + client authentication: getRemoteUser() returns null

Finally found the problem.

I started with JK, and added the /examples section from the auto-generated mod_jk.conf to my httpd.conf:

Alias "/examples" "C:/..."

...

When I switched to JK2, I removed all the JkMounts and kept using the above.

After hours of watching bytes pass by between httpd and Tomcat, hacking on the source, and general tweaking, it gradually dawned on me that I should scrap the above and use

...

and getRemoteUser() started working straight away.

PJDM
--
Peter Mayne
Technology Consultant
Spherion Technology Solutions
Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602
T: 61 2 62689727 F: 61 2 62689777

The information contained in this email and any attachments to it:

(a) may be confidential and if you are not the intended recipient, any interference with,
use, disclosure or copying of this material is unauthorised and prohibited; and

(b) may contain personal information of the recipient and/or the sender as defined
under the Privacy Act 1988 (Cth). Consent is hereby given by the recipient(s) to
collect, hold and use such information and any personal information contained in a
response to this email, for any reasonable purpose in the ordinary course of
Spherion's
business, including forwarding this email internally or disclosing it to a third party. All
personal information collected by Spherion will be handled in accordance with
Spherion's Privacy Policy. If you have received this email in error, please notify the
sender and delete it.

(c) you agree not to employ or arrange employment for any candidate(s) supplied in
this email and any attachments without first entering into a contractual agreement with
Spherion. You further agree not to divulge any information contained in this document
to any person(s) or entities without the express permission of Spherion.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Realm Authentication over SSL

2003-03-13 Thread Gabriel Santonja

Hello,

I'am trying to authenticate an user with tomcat/SSL and using FORM realm.
Now I can't use the SSL only when the user give his password.

Is it possible?.

Thank you
___
Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !
Yahoo! Mail : http://fr.mail.yahoo.com

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: JK + client authentication: getRemoteUser() returns null

2003-03-12 Thread Mayne, Peter

Title: RE: JK + client authentication: getRemoteUser() returns null





I've built jk2 2.0.2 against Apache 2.0.44, run it with Tomcat 4.1.18, and still get exactly the same results: everything seems to work except for getRemoteUser() still returning null.

There is an entry "[error] mod_jk child init 1 0" in the Apache log when it starts. I have no idea what this means, even after looking at the source.

 workers2.properties (chmeee is the hostname):


[shm]
file=${serverRoot}/logs/shm.file
size=1048576


[channel.socket:chmeee:8009]
port=8009
host=chmeee
#info=Ajp13 forwarding over socket
tomcatId=chmeee:8009


[ajp13:chmeee:8009]
channel=channel.socket:chmeee:8009


# Map the Tomcat examples webapp to the Web server uri space
[uri:/examples/*]
worker=ajp13:chmeee:8009
#info=Map the whole webapp


# define the worker
[status:status]


# Uri mapping
[uri:/jkstatus/*]
worker=status:status


 jk2.properties:


shm.file=/oss/Apache-2.0.44/logs/shm.file


request.tomcatAuthentication=false
#request.tomcatAuthentication=true


(I've tried it with both true and false. I expected the correct setting to be "false", but http://marc.theaimsgroup.com/?l=tomcat-user&m=104322962412519&w=2 says "true".

 Tomcat connector:


    

  
    


What do I try next?


Thanks.


PJDM
-- 
Peter Mayne
Technology Consultant
Spherion Technology Solutions
Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602
T: 61 2 62689727  F: 61 2 62689777


The information contained in this email and any attachments to it:

(a) may be confidential and if you are not the intended recipient, any interference with, 
use, disclosure or copying of this material is unauthorised and prohibited; and

(b) may contain personal information of the recipient and/or the sender as defined 
under the Privacy Act 1988 (Cth). Consent is hereby given by the recipient(s) to 
collect, hold and use such information and any personal information contained in a 
response to this email, for any reasonable purpose in the ordinary course of 
Spherion's 
business, including forwarding this email internally or disclosing it to a third party. All 
personal information collected by Spherion will be handled in accordance with 
Spherion's Privacy Policy. If you have received this email in error, please notify the 
sender and delete it.

(c) you agree not to employ or arrange employment for any candidate(s) supplied in 
this email and any attachments without first entering into a contractual agreement with 
Spherion. You further agree not to divulge any information contained in this document 
to any person(s) or entities without the express permission of Spherion.





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: JK + client authentication: getRemoteUser() returns null

2003-03-12 Thread Ignacio J. Ortega

Peter,
 
where do you search? :) better to search where the info is ...
 
http://marc.theaimsgroup.com/?w=2&r=1&s=tomcatAuthentication&q=t
 
elaborating on b):
 
jk2 is the internal name for 2 things:
 
1) a new native connector arch based on jk but enterely new..
2) the new Coyote based ajp13 connector, that is the java code that
manages ajp13 connections.. and it's compatible with native jk and jk2..
that is this new connector replace the ajp13connector you found in 4.0.6
server.xml jk2.properties it's a cfg file for Coyote/jk2..
 
here it's a explanation of the subtles for this 3 different things, jk
native, jk2 native, and Coyote/jk2 connector for tomcat..,
http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk2/doc/
 
Saludos,
Ignacio J. Ortega 

 
 
-Original Message-
From: Mayne, Peter [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 1:22 AM
To: 'Tomcat Users List'
Subject: RE: JK + client authentication: getRemoteUser() returns null



a) My apologies. I certainly try to send plain text, but Outlook has a
mind of its own, however tiny it may be. I think I've now beaten it into
submission.

b) I'll give it a try. From what I've seen mentioned of jk2, "it's not
ready for production use, not as tested and reliable as jk, etc", so
I've haven't tried it. I also presumed that jk and jk2 being different
things, that a jk2.properties file wouldn't modify a jk configuration.

c) I've searched for tomcatAuthentication, but I didn't realise that
putting it in the properties file (as opposed to specifying it in
server.xml) would make a difference.(Not to mention that searching the
archive is currently returning 0 results.)

Thanks. 

PJDM 
-- 
Peter Mayne 
Technology Consultant 
Spherion Technology Solutions 
Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602 
T: 61 2 62689727  F: 61 2 62689777 

> -Original Message- 
> From: Ignacio J. Ortega [ mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, 12 March 2003 1:56 AM 
> To: 'Tomcat Users List' 
> Subject: RE: JK + client authentication: getRemoteUser() returns null 
> 
> 
> Peter, 
> 
> a) Dont send HTML messages to this list, Read 
> http://jakarta.apache.org/site/mail.html. 
> b) jk2.properties it's used for the coyote connector jk 
> configuration ( 
> aka jk2 java part), not matter which native connector 
> (jk,jk2) you use.. 
> 
> c) The recipe of i gave to you has been proved to death, by 
> many people, 
> search archives for tomcatAuthentication.. 
> 
> Saludos, 
> Ignacio J. Ortega 
> 
> 
> 
> -Original Message- 
> From: Mayne, Peter [ mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, March 11, 2003 2:27 AM 
> To: 'Tomcat Users List' 
> Subject: RE: JK + client authentication: getRemoteUser() returns null 
> 
> 
> > add ... to jk2.properties 
> "jk2", even though I'm using jk? 
> Anyway, I tried it and it still didn't work. 
> Thanks anyway. 
> PJDM 
> -- 
> Peter Mayne 
> Technology Consultant 
> Spherion Technology Solutions 
> Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602 
> T: 61 2 62689727  F: 61 2 62689777 
> > -Original Message- 
> > From: Ignacio J. Ortega [ mailto:[EMAIL PROTECTED] 
> > Sent: Tuesday, 11 March 2003 12:21 PM 
> > To: 'Tomcat Users List' 
> > Subject: RE: JK + client authentication: getRemoteUser() 
> returns null 
> > 
> > 
> > add 
> > 
> > request.tomcatAuthentication=false 
> > 
> > to jk2.properties 
> > 
> > Saludos, 
> > Ignacio J. Ortega 
> > 
> > > -Original Message- 
> > > From: Filip Hanik [ mailto:[EMAIL PROTECTED] 
> > > Sent: Tuesday, March 11, 2003 1:12 AM 
> > > To: Tomcat Users List 
> > > Subject: RE: JK + client authentication: getRemoteUser() 
> > returns null 
> > > 
> > > 
> > > you are correct, there is a bug filed for this, 
> > > Bugzilla Bug 11563 
> > >  
> > > 
> > > not sure anyone is dealing with it though, 
> > > Filip 
> > > -Original Message- 
> > > From: Mayne, Peter [ mailto:[EMAIL PROTECTED] 
> > > Sent: Monday, March 10, 2003 4:01 PM 
> > > To: Tomcat Users List 
> > > Subject: JK + client authentication: getRemoteUser() returns null 
> > > 
> > > 
> > > I'm using 
> > > Windows XP 
> > > Apache 2.0.44 
> > > OpenSSL 0.9.7a 
> > > mod_jk-2.0.43.dll 
> > > Tomcat 4.1.18 
> > > I've followed the instructions at 
> > http://www.johnturner.com/howto/winxp-howto.html to set up 
> Apache and 
> >

RE: JK + client authentication: getRemoteUser() returns null

2003-03-11 Thread Mayne, Peter

Title: RE: JK + client authentication: getRemoteUser() returns null





a) My apologies. I certainly try to send plain text, but Outlook has a mind of its own, however tiny it may be. I think I've now beaten it into submission.

b) I'll give it a try. From what I've seen mentioned of jk2, "it's not ready for production use, not as tested and reliable as jk, etc", so I've haven't tried it. I also presumed that jk and jk2 being different things, that a jk2.properties file wouldn't modify a jk configuration.

c) I've searched for tomcatAuthentication, but I didn't realise that putting it in the properties file (as opposed to specifying it in server.xml) would make a difference.(Not to mention that searching the archive is currently returning 0 results.)

Thanks.


PJDM
-- 
Peter Mayne
Technology Consultant
Spherion Technology Solutions
Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602
T: 61 2 62689727  F: 61 2 62689777


> -Original Message-
> From: Ignacio J. Ortega [mailto:[EMAIL PROTECTED]] 
> Sent: Wednesday, 12 March 2003 1:56 AM
> To: 'Tomcat Users List'
> Subject: RE: JK + client authentication: getRemoteUser() returns null
> 
> 
> Peter,
> 
> a) Dont send HTML messages to this list, Read
> http://jakarta.apache.org/site/mail.html.
> b) jk2.properties it's used for the coyote connector jk 
> configuration (
> aka jk2 java part), not matter which native connector 
> (jk,jk2) you use..
> 
> c) The recipe of i gave to you has been proved to death, by 
> many people,
> search archives for tomcatAuthentication.. 
> 
> Saludos, 
> Ignacio J. Ortega 
> 
> 
> 
> -Original Message-
> From: Mayne, Peter [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, March 11, 2003 2:27 AM
> To: 'Tomcat Users List'
> Subject: RE: JK + client authentication: getRemoteUser() returns null
> 
> 
> > add ... to jk2.properties 
> "jk2", even though I'm using jk? 
> Anyway, I tried it and it still didn't work. 
> Thanks anyway. 
> PJDM 
> -- 
> Peter Mayne 
> Technology Consultant 
> Spherion Technology Solutions 
> Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602 
> T: 61 2 62689727  F: 61 2 62689777 
> > -Original Message- 
> > From: Ignacio J. Ortega [mailto:[EMAIL PROTECTED]] 
> > Sent: Tuesday, 11 March 2003 12:21 PM 
> > To: 'Tomcat Users List' 
> > Subject: RE: JK + client authentication: getRemoteUser() 
> returns null 
> > 
> > 
> > add 
> > 
> > request.tomcatAuthentication=false 
> > 
> > to jk2.properties 
> > 
> > Saludos, 
> > Ignacio J. Ortega 
> > 
> > > -Original Message- 
> > > From: Filip Hanik [mailto:[EMAIL PROTECTED]] 
> > > Sent: Tuesday, March 11, 2003 1:12 AM 
> > > To: Tomcat Users List 
> > > Subject: RE: JK + client authentication: getRemoteUser() 
> > returns null 
> > > 
> > > 
> > > you are correct, there is a bug filed for this, 
> > > Bugzilla Bug 11563 
> > >  
> > > 
> > > not sure anyone is dealing with it though, 
> > > Filip 
> > > -Original Message- 
> > > From: Mayne, Peter [mailto:[EMAIL PROTECTED]] 
> > > Sent: Monday, March 10, 2003 4:01 PM 
> > > To: Tomcat Users List 
> > > Subject: JK + client authentication: getRemoteUser() returns null 
> > > 
> > > 
> > > I'm using 
> > > Windows XP 
> > > Apache 2.0.44 
> > > OpenSSL 0.9.7a 
> > > mod_jk-2.0.43.dll 
> > > Tomcat 4.1.18 
> > > I've followed the instructions at 
> > http://www.johnturner.com/howto/winxp-howto.html to set up 
> Apache and 
> > Tomcat using JK, with authentication using client certificates. 
> > Everything seems to be working fine, except 
> request.getRemoteUser() is
> 
> > returning null. (The REMOTE_USER is shown from a CGI script, so 
> > authentication is working.) 
> > The only reference I can find to this problem is in 
> > /tomcat-docs/config/jk.html: setting the tomcatAuthentication 
> > attribute 
> > when using org.apache.ajp.tomcat4.Ajp13Connector, but since this 
> > connector doesn't appear in my server.xml, it doesn't seem to be 
> > relevant. (It does seem to be relevant for Tomcat 4.0.6, but 
> > I'd rather 
> > not have to try dropping back to there.) 
> > Before I post voluminous config files, am I missing something 
> > obvious? 
> > Thanks. 
> > PJDM 
> > -- 
> > Peter Mayne 
> > Technology Consultant 
> > Spherion Technology

RE: JK + client authentication: getRemoteUser() returns null

2003-03-11 Thread Mayne, Peter

Title: RE: JK + client authentication: getRemoteUser() returns null





I've reverted to Tomcat 4.0.6, I'm using mod_jk that I've built myself against Apache 2.0.44, and I'm using Ajp13Connector, but getRemoteUser() still doesn't work, and I'm tearing my hair out.

 Server.xml contains (in part):





workersConfig="c:/oss/jakarta-tomcat-4.0.6/conf/jk/workers.properties"
    jkLog="c:/oss/jakarta-tomcat-4.0.6/logs/mod_jk.log"
/>
...
  
  



workersConfig="c:/oss/jakarta-tomcat-4.0.6/conf/jk/workers.properties"
    jkLog="c:/oss/jakarta-tomcat-4.0.6/logs/mod_jk.log"
/>


    
    
   port="8009" minProcessors="5" maxProcessors="75"
   acceptCount="10" debug="9" tomcatAuthentication="false"/>


 workers.properties:


worker.list=ajp13


worker.ajp13.type=ajp13
worker.ajp13.host=localhost
worker.ajp13.port=8009


 httpd.conf contains (in part):


JkWorkersFile c:/oss/jakarta-tomcat-4.0.6/conf/jk/workers.properties
JkLogFile c:/oss/jakarta-tomcat-4.0.6/logs/mod_jk.log
JkLogLevel emerg
JkExtractSSL On



    Alias /examples "C:/oss/jakarta-tomcat-4.0.6/webapps/examples"


    
    Options Indexes FollowSymLinks
    DirectoryIndex index.html index.htm index.jsp 
    SSLOptions +StdEnvVars +FakeBasicAuth
    AuthType Basic
    AuthName "This realm"
    AuthUserFile conf/passwd
    Require  valid-user
    
    JkMount /examples ajp13
    JkMount /examples/* ajp13
    JkMount /examples/jsp/security/protected/j_security_check  ajp13
    JkMount /examples/snoop  ajp13
    JkMount /examples/servlet/*  ajp13
    JkMount /examples/CompressionTest  ajp13
    JkMount /examples/*.jsp  ajp13
    JkMount /examples/servletToJsp  ajp13
    JkMount /examples/SendMailServlet  ajp13



 and finally, the connector log:


2003-03-11 23:42:30 Ajp13Processor[8009][4] [Ajp13] receiveNextRequest()
2003-03-11 23:42:30 Ajp13Processor[8009][4] [Ajp13] receive()
2003-03-11 23:42:31 Ajp13Processor[8009][4] [Ajp13] Received 4 589 18
2003-03-11 23:42:31 Ajp13Processor[8009][4] [Ajp13] receive:  total read = 589
2003-03-11 23:42:31 Ajp13Processor[8009][4] [Ajp13] Received 2 JK_AJP13_FORWARD_REQUEST
2003-03-11 23:42:31 Ajp13Processor[8009][4] [Ajp13] [RequestHandler] decodeRequest()
2003-03-11 23:42:31 Ajp13Processor[8009][4] [Ajp13] [RequestHandler] === BaseRequest ===
method  = GET
protocol    = HTTP/1.1
requestURI  = /examples/jsp/snp/snoop.jsp
remoteAddr  = 192.168.254.1
remoteHost  = null
serverName  = chmeee
serverPort  = 443
remoteUser  = null
authType    = null
queryString = null
scheme  = https
secure  = true
contentLength   = 0
contentType = null
attributes  = {}
headers = === MimeHeaders ===
host = chmeee
user-agent = Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130
accept = application/x-shockwave-flash,text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1

accept-language = en-us, en;q=0.50
accept-encoding = gzip, deflate, compress;q=0.9
accept-charset = ISO-8859-1, utf-8;q=0.66, *;q=0.66
keep-alive = 300
connection = keep-alive
referer = https://chmeee/examples/jsp/
cookie = JSESSIONID=3832DD83EC747E4E4023C3E20054BBEA
cache-control = max-age=0
content-length = 0


cookies = === Cookies ===
Cookie JSESSIONID=3832DD83EC747E4E4023C3E20054BBEA ; 0 null null


jvmRoute    = null


What am I doing wrong?


Thanks.


PJDM
--
Peter Mayne
Technology Consultant
Spherion Technology Solutions
Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602
T: 61 2 62689727  F: 61 2 62689777 


The information contained in this email and any attachments to it:

(a) may be confidential and if you are not the intended recipient, any interference with, 
use, disclosure or copying of this material is unauthorised and prohibited; and

(b) may contain personal information of the recipient and/or the sender as defined 
under the Privacy Act 1988 (Cth). Consent is hereby given by the recipient(s) to 
collect, hold and use such information and any personal information contained in a 
response to this email, for any reasonable purpose in the ordinary course of 
Spherion's 
business, including forwarding this email internally or disclosing it to a third party. All 
personal information collected by Spherion will be handled in accordance with 
Spherion's Privacy Policy. If you have received this email in error, please notify the 
sender and delete it.

(c) you agree not to employ or arrange employment for any candidate(s) supplied in 
this email and any attachments without first entering into a contractual agree

RE: JK + client authentication: getRemoteUser() returns null

2003-03-11 Thread Ignacio J. Ortega

Peter,

a) Dont send HTML messages to this list, Read
http://jakarta.apache.org/site/mail.html.
b) jk2.properties it's used for the coyote connector jk configuration (
aka jk2 java part), not matter which native connector (jk,jk2) you use..

c) The recipe of i gave to you has been proved to death, by many people,
search archives for tomcatAuthentication.. 

Saludos, 
Ignacio J. Ortega 



-Original Message-
From: Mayne, Peter [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 11, 2003 2:27 AM
To: 'Tomcat Users List'
Subject: RE: JK + client authentication: getRemoteUser() returns null


> add ... to jk2.properties 
"jk2", even though I'm using jk? 
Anyway, I tried it and it still didn't work. 
Thanks anyway. 
PJDM 
-- 
Peter Mayne 
Technology Consultant 
Spherion Technology Solutions 
Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602 
T: 61 2 62689727  F: 61 2 62689777 
> -Original Message- 
> From: Ignacio J. Ortega [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, 11 March 2003 12:21 PM 
> To: 'Tomcat Users List' 
> Subject: RE: JK + client authentication: getRemoteUser() returns null 
> 
> 
> add 
> 
> request.tomcatAuthentication=false 
> 
> to jk2.properties 
> 
> Saludos, 
> Ignacio J. Ortega 
> 
> > -Original Message- 
> > From: Filip Hanik [mailto:[EMAIL PROTECTED] 
> > Sent: Tuesday, March 11, 2003 1:12 AM 
> > To: Tomcat Users List 
> > Subject: RE: JK + client authentication: getRemoteUser() 
> returns null 
> > 
> > 
> > you are correct, there is a bug filed for this, 
> > Bugzilla Bug 11563 
> >  
> > 
> > not sure anyone is dealing with it though, 
> > Filip 
> > -----Original Message- 
> > From: Mayne, Peter [mailto:[EMAIL PROTECTED] 
> > Sent: Monday, March 10, 2003 4:01 PM 
> > To: Tomcat Users List 
> > Subject: JK + client authentication: getRemoteUser() returns null 
> > 
> > 
> > I'm using 
> > Windows XP 
> > Apache 2.0.44 
> > OpenSSL 0.9.7a 
> > mod_jk-2.0.43.dll 
> > Tomcat 4.1.18 
> > I've followed the instructions at 
> http://www.johnturner.com/howto/winxp-howto.html to set up Apache and 
> Tomcat using JK, with authentication using client certificates. 
> Everything seems to be working fine, except request.getRemoteUser() is

> returning null. (The REMOTE_USER is shown from a CGI script, so 
> authentication is working.) 
> The only reference I can find to this problem is in 
> /tomcat-docs/config/jk.html: setting the tomcatAuthentication 
> attribute 
> when using org.apache.ajp.tomcat4.Ajp13Connector, but since this 
> connector doesn't appear in my server.xml, it doesn't seem to be 
> relevant. (It does seem to be relevant for Tomcat 4.0.6, but 
> I'd rather 
> not have to try dropping back to there.) 
> Before I post voluminous config files, am I missing something 
> obvious? 
> Thanks. 
> PJDM 
> -- 
> Peter Mayne 
> Technology Consultant 
> Spherion Technology Solutions 
> Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602 
> T: 61 2 62689727  F: 61 2 62689777 
> The information contained in this email and any attachments to it: 
> 
> (a) may be confidential and if you are not the intended recipient, any

> interference with, 
> use, disclosure or copying of this material is unauthorised and 
> prohibited; and 
> 
> (b) may contain personal information of the recipient and/or 
> the sender 
> as defined 
> under the Privacy Act 1988 (Cth). Consent is hereby given by the 
> recipient(s) to 
> collect, hold and use such information and any personal information 
> contained in a 
> response to this email, for any reasonable purpose in the ordinary 
> course of 
> Spherion's 
> business, including forwarding this email internally or 
> disclosing it to 
> a third party. All 
> personal information collected by Spherion will be handled in 
> accordance 
> with 
> Spherion's Privacy Policy. If you have received this email in error, 
> please notify the 
> sender and delete it. 
> 
> (c) you agree not to employ or arrange employment for any candidate(s)

> supplied in 
> this email and any attachments without first entering into a 
> contractual 
> agreement with 
> Spherion. You further agree not to divulge any information 
> contained in 
> this document 
> to any person(s) or entities without the express permission 
> of Spherion. 
> 
> - 
> To unsubscribe, e-mail: [EMAIL PROTECTED] 
> For additional commands, e-mail: [EMAIL PROTECTED] 
> 
> 
The information contained in this email and any attac

SSL client authentication + LDAP realm / Tomcat 4.1.18

2003-03-11 Thread Philippe Maseres

Hello.

I try to set up the following features :
- Client authentication using client SSL certificates
- Client authorization using the JNDI realm, against an iPlanet LDAP
directory

I first tested a simpler configuration using the LDAP realm with BASIC
authentication, and it works fine. The realm configuration, set up in the
server.xml application context is :



ldap://localhost:389";
roleBase="ou=Roles,ou=TomcatRealm,dc=moon.net"
roleName="cn"
roleSearch="(uniqueMember={0})"
roleSubtree="false"
userBase="ou=Users,ou=TomcatRealm,dc=moon.net"
userSearch="(cn={0})"
/>


According to this configuration, when a user tries to access a secured URL
and provides its BASIC login and password, the realm correctly checks the
credentials against the directory, binding with the DN using the userBase
and userSearch parameters.

On the other hand, i tried another configuration, using SSL client
authentication and the default realm, adding a user entry in the
tomcat-users.xml file with the complete DN as username :
"cn=SomeBody,ou=Users,ou=TomcatRealm,dc=moon.net". As expected, the
certificate is successfully verified in the trust cacerts store, and the
default realm correctly matches the user with the issuer DN extracted from
the client certificate.

In this last case, i assumed the DN provided by the client certificate is
the exact expression used by the realm to match the users identity.

Now, i don't understand how it should be possible to configure both the JNDI
realm and the SSL connector to indicate how the client certificates DN must
be used to check the user identity in the LDAP directory. It seems obvious
that using the full DN from the client certificate as a single user
identifier (cn, uid, etc.) fails, since the search filter doesn't match.
Should it be sensible to use the key alias from the trust keystore as the
directory identifier value ? Perhaps i don't go the right way !...

Thanks for your help.

Philippe Maseres


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: JK + client authentication: getRemoteUser() returns null

2003-03-11 Thread Reynir Hübner

Hi, 

I've just installed tomcat4.1.18 with IIS and jk2 and it works fine. 
I was having problems with the getRemoteUser(), and it works fine when using jk2.

I posted the steps to install onto my website
 http://www.reynir.net/tomcat/tomcat_IIS_service_jk2.html

There may be some bugs in these docs, but this installation works for me so maybe it 
could help someone. 

[EMAIL PROTECTED]




> -Original Message-
> From: Robert Biernat [mailto:[EMAIL PROTECTED] 
> Sent: 11. mars 2003 00:26
> To: 'Tomcat Users List'
> Subject: RE: JK + client authentication: getRemoteUser() returns null
> 
> 
> I sent a message earlier with a similiar problem however I'm 
> using IIS 5.0 and the ISAPI redirector, and not using Apache 
> with SSL certificates.
> 
> It appears the combination of the CoyoteConnector and the 
> JkCoyoteHandler is where the bugs lies. I switched off the 
> CoyoteConnector, and reverted back to the old Ajp13Connector, 
> added the attribute tomcatAuthentication="false" and it 
> worked fine. However I've been having stability problems with 
> the Ajp13Connector (Tomcat runs out of threads) and want to 
> upgrade to the new CoyoteConnector as soon as possible. At 
> this stage this bug is all that is holding me back from 
> deployment of 4.1.18 to production.
> 
> Rob 
> 
> -Original Message-
> From: Filip Hanik [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, 11 March 2003 11:12 AM
> To: Tomcat Users List
> Subject: RE: JK + client authentication: getRemoteUser() returns null
> 
> 
> you are correct, there is a bug filed for this,
> Bugzilla Bug 11563 
>  
> 
> not sure anyone is dealing with it though,
> Filip
> -Original Message-
> From: Mayne, Peter [mailto:[EMAIL PROTECTED]
> Sent: Monday, March 10, 2003 4:01 PM
> To: Tomcat Users List
> Subject: JK + client authentication: getRemoteUser() returns null
> 
> 
> I'm using 
> Windows XP 
> Apache 2.0.44 
> OpenSSL 0.9.7a 
> mod_jk-2.0.43.dll 
> Tomcat 4.1.18 
> I've followed the instructions at 
> http://www.johnturner.com/howto/winxp-howto.html to set up 
> Apache and Tomcat using JK, with authentication using client 
> certificates. Everything seems to be working fine, except 
> request.getRemoteUser() is returning null. (The REMOTE_USER 
> is shown from a CGI script, so authentication is working.) 
> The only reference I can find to this problem is in
> /tomcat-docs/config/jk.html: setting the tomcatAuthentication 
> attribute when using org.apache.ajp.tomcat4.Ajp13Connector, 
> but since this connector doesn't appear in my server.xml, it 
> doesn't seem to be relevant. (It does seem to be relevant for 
> Tomcat 4.0.6, but I'd rather not have to try dropping back to 
> there.) Before I post voluminous config files, am I missing 
> something obvious? 
> Thanks. 
> PJDM 
> -- 
> Peter Mayne 
> Technology Consultant 
> Spherion Technology Solutions 
> Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602 
> T: 61 2 62689727  F: 61 2 62689777 
> The information contained in this email and any attachments to it:
> 
> (a) may be confidential and if you are not the intended 
> recipient, any interference with, 
> use, disclosure or copying of this material is unauthorised 
> and prohibited; and
> 
> (b) may contain personal information of the recipient and/or 
> the sender as defined 
> under the Privacy Act 1988 (Cth). Consent is hereby given by the
> recipient(s) to 
> collect, hold and use such information and any personal 
> information contained in a 
> response to this email, for any reasonable purpose in the 
> ordinary course of
> 
> Spherion's 
> business, including forwarding this email internally or 
> disclosing it to a third party. All 
> personal information collected by Spherion will be handled in 
> accordance with 
> Spherion's Privacy Policy. If you have received this email in 
> error, please notify the 
> sender and delete it.
> 
> (c) you agree not to employ or arrange employment for any 
> candidate(s) supplied in 
> this email and any attachments without first entering into a 
> contractual agreement with 
> Spherion. You further agree not to divulge any information 
> contained in this document 
> to any person(s) or entities without the express permission 
> of Spherion.
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: JK + client authentication: getRemoteUser() returns null

2003-03-10 Thread Mayne, Peter

Title: RE: JK + client authentication: getRemoteUser() returns null





I just looked through the 4.1.21-beta release notes: it doesn't appear to be fixed there either.


Who do we have to bribe around here? :-)


PJDM
-- 
Peter Mayne
Technology Consultant
Spherion Technology Solutions
Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602
T: 61 2 62689727  F: 61 2 62689777


> -Original Message-
> From: Filip Hanik [mailto:[EMAIL PROTECTED]] 
> Sent: Tuesday, 11 March 2003 11:12 AM
> To: Tomcat Users List
> Subject: RE: JK + client authentication: getRemoteUser() returns null
> 
> 
> you are correct, there is a bug filed for this,
> Bugzilla Bug 11563 
>  
> 
> not sure anyone is dealing with it though,
> Filip


The information contained in this email and any attachments to it:

(a) may be confidential and if you are not the intended recipient, any interference with, 
use, disclosure or copying of this material is unauthorised and prohibited; and

(b) may contain personal information of the recipient and/or the sender as defined 
under the Privacy Act 1988 (Cth). Consent is hereby given by the recipient(s) to 
collect, hold and use such information and any personal information contained in a 
response to this email, for any reasonable purpose in the ordinary course of 
Spherion's 
business, including forwarding this email internally or disclosing it to a third party. All 
personal information collected by Spherion will be handled in accordance with 
Spherion's Privacy Policy. If you have received this email in error, please notify the 
sender and delete it.

(c) you agree not to employ or arrange employment for any candidate(s) supplied in 
this email and any attachments without first entering into a contractual agreement with 
Spherion. You further agree not to divulge any information contained in this document 
to any person(s) or entities without the express permission of Spherion.




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: JK + client authentication: getRemoteUser() returns null

2003-03-10 Thread Mayne, Peter

Title: RE: JK + client authentication: getRemoteUser() returns null





> add ... to jk2.properties


"jk2", even though I'm using jk?


Anyway, I tried it and it still didn't work.


Thanks anyway.


PJDM
-- 
Peter Mayne
Technology Consultant
Spherion Technology Solutions
Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602
T: 61 2 62689727  F: 61 2 62689777


> -Original Message-
> From: Ignacio J. Ortega [mailto:[EMAIL PROTECTED]] 
> Sent: Tuesday, 11 March 2003 12:21 PM
> To: 'Tomcat Users List'
> Subject: RE: JK + client authentication: getRemoteUser() returns null
> 
> 
> add
> 
> request.tomcatAuthentication=false
> 
> to jk2.properties
> 
> Saludos, 
> Ignacio J. Ortega 
> 
> > -Original Message-
> > From: Filip Hanik [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, March 11, 2003 1:12 AM
> > To: Tomcat Users List
> > Subject: RE: JK + client authentication: getRemoteUser() 
> returns null
> > 
> > 
> > you are correct, there is a bug filed for this,
> > Bugzilla Bug 11563 
> >  
> > 
> > not sure anyone is dealing with it though,
> > Filip
> > -Original Message-
> > From: Mayne, Peter [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, March 10, 2003 4:01 PM
> > To: Tomcat Users List
> > Subject: JK + client authentication: getRemoteUser() returns null
> > 
> > 
> > I'm using 
> > Windows XP 
> > Apache 2.0.44 
> > OpenSSL 0.9.7a 
> > mod_jk-2.0.43.dll 
> > Tomcat 4.1.18 
> > I've followed the instructions at 
> http://www.johnturner.com/howto/winxp-howto.html to set up Apache and
> Tomcat using JK, with authentication using client certificates.
> Everything seems to be working fine, except request.getRemoteUser() is
> returning null. (The REMOTE_USER is shown from a CGI script, so
> authentication is working.)
> The only reference I can find to this problem is in
> /tomcat-docs/config/jk.html: setting the tomcatAuthentication 
> attribute
> when using org.apache.ajp.tomcat4.Ajp13Connector, but since this
> connector doesn't appear in my server.xml, it doesn't seem to be
> relevant. (It does seem to be relevant for Tomcat 4.0.6, but 
> I'd rather
> not have to try dropping back to there.)
> Before I post voluminous config files, am I missing something 
> obvious? 
> Thanks. 
> PJDM 
> -- 
> Peter Mayne 
> Technology Consultant 
> Spherion Technology Solutions 
> Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602 
> T: 61 2 62689727  F: 61 2 62689777 
> The information contained in this email and any attachments to it:
> 
> (a) may be confidential and if you are not the intended recipient, any
> interference with, 
> use, disclosure or copying of this material is unauthorised and
> prohibited; and
> 
> (b) may contain personal information of the recipient and/or 
> the sender
> as defined 
> under the Privacy Act 1988 (Cth). Consent is hereby given by the
> recipient(s) to 
> collect, hold and use such information and any personal information
> contained in a 
> response to this email, for any reasonable purpose in the ordinary
> course of 
> Spherion's 
> business, including forwarding this email internally or 
> disclosing it to
> a third party. All 
> personal information collected by Spherion will be handled in 
> accordance
> with 
> Spherion's Privacy Policy. If you have received this email in error,
> please notify the 
> sender and delete it.
> 
> (c) you agree not to employ or arrange employment for any candidate(s)
> supplied in 
> this email and any attachments without first entering into a 
> contractual
> agreement with 
> Spherion. You further agree not to divulge any information 
> contained in
> this document 
> to any person(s) or entities without the express permission 
> of Spherion.
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 


The information contained in this email and any attachments to it:

(a) may be confidential and if you are not the intended recipient, any interference with, 
use, disclosure or copying of this material is unauthorised and prohibited; and

(b) may contain personal information of the recipient and/or the sender as defined 
under the Privacy Act 1988 (Cth). Consent is hereby given by the recipient(s) to 
collect, hold and use such information and any personal information contained in a 
response to this email, for any reasonable purpose in the ordinary course of 
Spherion's 
business, including forwarding this email internally or discl

RE: JK + client authentication: getRemoteUser() returns null

2003-03-10 Thread Mayne, Peter

Title: RE: JK + client authentication: getRemoteUser() returns null





Thanks to both of you. I suppose I won't be holding my breath. :-\


I'll try using the Ajp13Connector.


PJDM
-- 
Peter Mayne
Technology Consultant
Spherion Technology Solutions
Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602
T: 61 2 62689727  F: 61 2 62689777


> -Original Message-
> From: Robert Biernat [mailto:[EMAIL PROTECTED]] 
> Sent: Tuesday, 11 March 2003 11:26 AM
> To: 'Tomcat Users List'
> Subject: RE: JK + client authentication: getRemoteUser() returns null
> 
> -Original Message-
> From: Filip Hanik [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, 11 March 2003 11:12 AM
> To: Tomcat Users List
> Subject: RE: JK + client authentication: getRemoteUser() returns null


The information contained in this email and any attachments to it:

(a) may be confidential and if you are not the intended recipient, any interference with, 
use, disclosure or copying of this material is unauthorised and prohibited; and

(b) may contain personal information of the recipient and/or the sender as defined 
under the Privacy Act 1988 (Cth). Consent is hereby given by the recipient(s) to 
collect, hold and use such information and any personal information contained in a 
response to this email, for any reasonable purpose in the ordinary course of 
Spherion's 
business, including forwarding this email internally or disclosing it to a third party. All 
personal information collected by Spherion will be handled in accordance with 
Spherion's Privacy Policy. If you have received this email in error, please notify the 
sender and delete it.

(c) you agree not to employ or arrange employment for any candidate(s) supplied in 
this email and any attachments without first entering into a contractual agreement with 
Spherion. You further agree not to divulge any information contained in this document 
to any person(s) or entities without the express permission of Spherion.




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: JK + client authentication: getRemoteUser() returns null

2003-03-10 Thread Ignacio J. Ortega

add

request.tomcatAuthentication=false

to jk2.properties

Saludos, 
Ignacio J. Ortega 

> -Original Message-
> From: Filip Hanik [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, March 11, 2003 1:12 AM
> To: Tomcat Users List
> Subject: RE: JK + client authentication: getRemoteUser() returns null
> 
> 
> you are correct, there is a bug filed for this,
> Bugzilla Bug 11563 
>  
> 
> not sure anyone is dealing with it though,
> Filip
> -Original Message-
> From: Mayne, Peter [mailto:[EMAIL PROTECTED]
> Sent: Monday, March 10, 2003 4:01 PM
> To: Tomcat Users List
> Subject: JK + client authentication: getRemoteUser() returns null
> 
> 
> I'm using 
> Windows XP 
> Apache 2.0.44 
> OpenSSL 0.9.7a 
> mod_jk-2.0.43.dll 
> Tomcat 4.1.18 
> I've followed the instructions at 
http://www.johnturner.com/howto/winxp-howto.html to set up Apache and
Tomcat using JK, with authentication using client certificates.
Everything seems to be working fine, except request.getRemoteUser() is
returning null. (The REMOTE_USER is shown from a CGI script, so
authentication is working.)
The only reference I can find to this problem is in
/tomcat-docs/config/jk.html: setting the tomcatAuthentication attribute
when using org.apache.ajp.tomcat4.Ajp13Connector, but since this
connector doesn't appear in my server.xml, it doesn't seem to be
relevant. (It does seem to be relevant for Tomcat 4.0.6, but I'd rather
not have to try dropping back to there.)
Before I post voluminous config files, am I missing something obvious? 
Thanks. 
PJDM 
-- 
Peter Mayne 
Technology Consultant 
Spherion Technology Solutions 
Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602 
T: 61 2 62689727  F: 61 2 62689777 
The information contained in this email and any attachments to it:

(a) may be confidential and if you are not the intended recipient, any
interference with, 
use, disclosure or copying of this material is unauthorised and
prohibited; and

(b) may contain personal information of the recipient and/or the sender
as defined 
under the Privacy Act 1988 (Cth). Consent is hereby given by the
recipient(s) to 
collect, hold and use such information and any personal information
contained in a 
response to this email, for any reasonable purpose in the ordinary
course of 
Spherion's 
business, including forwarding this email internally or disclosing it to
a third party. All 
personal information collected by Spherion will be handled in accordance
with 
Spherion's Privacy Policy. If you have received this email in error,
please notify the 
sender and delete it.

(c) you agree not to employ or arrange employment for any candidate(s)
supplied in 
this email and any attachments without first entering into a contractual
agreement with 
Spherion. You further agree not to divulge any information contained in
this document 
to any person(s) or entities without the express permission of Spherion.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: JK + client authentication: getRemoteUser() returns null

2003-03-10 Thread Robert Biernat

I sent a message earlier with a similiar problem however I'm using IIS 5.0
and the ISAPI redirector, and not using Apache with SSL certificates.

It appears the combination of the CoyoteConnector and the JkCoyoteHandler is
where the bugs lies. I switched off the CoyoteConnector, and reverted back
to the old Ajp13Connector, added the attribute tomcatAuthentication="false"
and it worked fine. However I've been having stability problems with the
Ajp13Connector (Tomcat runs out of threads) and want to upgrade to the new
CoyoteConnector as soon as possible. At this stage this bug is all that is
holding me back from deployment of 4.1.18 to production.

Rob 

-Original Message-
From: Filip Hanik [mailto:[EMAIL PROTECTED]
Sent: Tuesday, 11 March 2003 11:12 AM
To: Tomcat Users List
Subject: RE: JK + client authentication: getRemoteUser() returns null


you are correct, there is a bug filed for this,
Bugzilla Bug 11563 
 

not sure anyone is dealing with it though,
Filip
-Original Message-
From: Mayne, Peter [mailto:[EMAIL PROTECTED]
Sent: Monday, March 10, 2003 4:01 PM
To: Tomcat Users List
Subject: JK + client authentication: getRemoteUser() returns null


I'm using 
Windows XP 
Apache 2.0.44 
OpenSSL 0.9.7a 
mod_jk-2.0.43.dll 
Tomcat 4.1.18 
I've followed the instructions at
http://www.johnturner.com/howto/winxp-howto.html to set up Apache and Tomcat
using JK, with authentication using client certificates.
Everything seems to be working fine, except request.getRemoteUser() is
returning null. (The REMOTE_USER is shown from a CGI script, so
authentication is working.)
The only reference I can find to this problem is in
/tomcat-docs/config/jk.html: setting the tomcatAuthentication attribute when
using org.apache.ajp.tomcat4.Ajp13Connector, but since this connector
doesn't appear in my server.xml, it doesn't seem to be relevant. (It does
seem to be relevant for Tomcat 4.0.6, but I'd rather not have to try
dropping back to there.)
Before I post voluminous config files, am I missing something obvious? 
Thanks. 
PJDM 
-- 
Peter Mayne 
Technology Consultant 
Spherion Technology Solutions 
Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602 
T: 61 2 62689727  F: 61 2 62689777 
The information contained in this email and any attachments to it:

(a) may be confidential and if you are not the intended recipient, any
interference with, 
use, disclosure or copying of this material is unauthorised and prohibited;
and

(b) may contain personal information of the recipient and/or the sender as
defined 
under the Privacy Act 1988 (Cth). Consent is hereby given by the
recipient(s) to 
collect, hold and use such information and any personal information
contained in a 
response to this email, for any reasonable purpose in the ordinary course of

Spherion's 
business, including forwarding this email internally or disclosing it to a
third party. All 
personal information collected by Spherion will be handled in accordance
with 
Spherion's Privacy Policy. If you have received this email in error, please
notify the 
sender and delete it.

(c) you agree not to employ or arrange employment for any candidate(s)
supplied in 
this email and any attachments without first entering into a contractual
agreement with 
Spherion. You further agree not to divulge any information contained in this
document 
to any person(s) or entities without the express permission of Spherion.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: JK + client authentication: getRemoteUser() returns null

2003-03-10 Thread Filip Hanik

you are correct, there is a bug filed for this,
Bugzilla Bug 11563 

not sure anyone is dealing with it though,
Filip
-Original Message-
From: Mayne, Peter [mailto:[EMAIL PROTECTED]
Sent: Monday, March 10, 2003 4:01 PM
To: Tomcat Users List
Subject: JK + client authentication: getRemoteUser() returns null

I'm using 
Windows XP 
Apache 2.0.44 
OpenSSL 0.9.7a 
mod_jk-2.0.43.dll 
Tomcat 4.1.18 
I've followed the instructions at http://www.johnturner.com/howto/winxp-howto.html to 
set up Apache and Tomcat using JK, with authentication using client certificates.
Everything seems to be working fine, except request.getRemoteUser() is returning null. 
(The REMOTE_USER is shown from a CGI script, so authentication is working.)
The only reference I can find to this problem is in /tomcat-docs/config/jk.html: 
setting the tomcatAuthentication attribute when using 
org.apache.ajp.tomcat4.Ajp13Connector, but since this connector doesn't appear in my 
server.xml, it doesn't seem to be relevant. (It does seem to be relevant for Tomcat 
4.0.6, but I'd rather not have to try dropping back to there.)
Before I post voluminous config files, am I missing something obvious? 
Thanks. 
PJDM 
-- 
Peter Mayne 
Technology Consultant 
Spherion Technology Solutions 
Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602 
T: 61 2 62689727  F: 61 2 62689777 
The information contained in this email and any attachments to it:

(a) may be confidential and if you are not the intended recipient, any interference 
with, 
use, disclosure or copying of this material is unauthorised and prohibited; and

(b) may contain personal information of the recipient and/or the sender as defined 
under the Privacy Act 1988 (Cth). Consent is hereby given by the recipient(s) to 
collect, hold and use such information and any personal information contained in a 
response to this email, for any reasonable purpose in the ordinary course of 
Spherion's 
business, including forwarding this email internally or disclosing it to a third 
party. All 
personal information collected by Spherion will be handled in accordance with 
Spherion's Privacy Policy. If you have received this email in error, please notify the 
sender and delete it.

(c) you agree not to employ or arrange employment for any candidate(s) supplied in 
this email and any attachments without first entering into a contractual agreement 
with 
Spherion. You further agree not to divulge any information contained in this document 
to any person(s) or entities without the express permission of Spherion.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

JK + client authentication: getRemoteUser() returns null

2003-03-10 Thread Mayne, Peter

Title: JK + client authentication: getRemoteUser() returns null





I'm using


Windows XP
Apache 2.0.44
OpenSSL 0.9.7a
mod_jk-2.0.43.dll
Tomcat 4.1.18


I've followed the instructions at http://www.johnturner.com/howto/winxp-howto.html to set up Apache and Tomcat using JK, with authentication using client certificates.

Everything seems to be working fine, except request.getRemoteUser() is returning null. (The REMOTE_USER is shown from a CGI script, so authentication is working.)

The only reference I can find to this problem is in /tomcat-docs/config/jk.html: setting the tomcatAuthentication attribute when using org.apache.ajp.tomcat4.Ajp13Connector, but since this connector doesn't appear in my server.xml, it doesn't seem to be relevant. (It does seem to be relevant for Tomcat 4.0.6, but I'd rather not have to try dropping back to there.)

Before I post voluminous config files, am I missing something obvious?


Thanks.


PJDM
-- 
Peter Mayne
Technology Consultant
Spherion Technology Solutions
Level 1, 243 Northbourne Avenue, Lyneham, ACT, 2602
T: 61 2 62689727  F: 61 2 62689777


The information contained in this email and any attachments to it:

(a) may be confidential and if you are not the intended recipient, any interference with, 
use, disclosure or copying of this material is unauthorised and prohibited; and

(b) may contain personal information of the recipient and/or the sender as defined 
under the Privacy Act 1988 (Cth). Consent is hereby given by the recipient(s) to 
collect, hold and use such information and any personal information contained in a 
response to this email, for any reasonable purpose in the ordinary course of 
Spherion's 
business, including forwarding this email internally or disclosing it to a third party. All 
personal information collected by Spherion will be handled in accordance with 
Spherion's Privacy Policy. If you have received this email in error, please notify the 
sender and delete it.

(c) you agree not to employ or arrange employment for any candidate(s) supplied in 
this email and any attachments without first entering into a contractual agreement with 
Spherion. You further agree not to divulge any information contained in this document 
to any person(s) or entities without the express permission of Spherion.





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Apache-Basic Authentication How To

2003-03-10 Thread Manu Kits

Hello,

I am using Apache 1.3.26 on IBM AIX

I want to implement Basic Authentication on Apache (Ref: htpasswd)

I have 2 users with their respective directories:
-
USER NAME HOME DIR public_html
-
BILL /home/bill/home/bill/public_html
GATES /home/gates   /home/gates/public_html
I want to IMPLEMENT Basic Authentication for User BILL and NO Authentication 
for user GATES.
How can I do that - is it possible to have Basic Authentication for User 
BILL and NO Authentication for User GATES?

This is what I have done
---

 Options +FollowSymLinks
 AllowOverride All
 Order allow,deny
 Allow from all

 BASIC AUTHENTICATION for USER BILL 


 Options +FollowSymLinks +SymLinksIfOwnerMatch +Indexes
 Order allow,deny
 Allow from all
 AllowOverride All
 AllowOverride AuthConfig
 AuthType Basic
 AuthName "By Invitation Only"
 AuthUserFile /usr/local/apache2003/passwd/apache_password
 Require valid-user

 NO AUTHENTICATION for USER GATES 


 Options +FollowSymLinks +SymLinksIfOwnerMatch +Indexes
 Order allow,deny
 Allow from all

---
THANKS!

_
Tired of spam? Get advanced junk mail protection with MSN 8. 
http://join.msn.com/?page=features/junkmail

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

problem with authentication

2003-03-08 Thread Felix Janssen

Hello

I'm using form authentication and a JDBCRealm for a tomcat/jsp application.
When I request a restricted page, I get my login page. When I try to log in
with incorrect username/password, I get the error-page. But when I log in
with correct username/pass, I get a blank screen and am not logged in.

The logs show:

2003-03-09 01:53:01 Authenticator[/scss]: Security checking request POST 
/scss/j_security_check
2003-03-09 01:53:01 Authenticator[/scss]: Authenticating username 'felixj'
2003-03-09 01:53:01 JDBCRealm[/scss]: Username felixj successfully authenticated

but nothing more.

Can anyone please help?

regards

Felix

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Can Tomcat do client certificate authentication ?

2003-03-08 Thread dave . prout

We can't use digest authentication, as we have to store our passwords
encrypted.

-Original Message- 
From: Tarun Ramakrishna Elankath [mailto:[EMAIL PROTECTED] 
Sent: Sat 08/03/2003 14:19 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: Can Tomcat do client certificate authentication ?



How about Digest authentication ? 

On Sat, 2003-03-08 at 15:19, [EMAIL PROTECTED] wrote: 
> I'm using Tomcat 4.1.18 standalone. We need client certificates to work 
> across all our platforms. With Microsoft its easy, with Tomcat we just
can't 
> seem to do it. 
>  
> We've looked at many different methods of security. Basic Authentication
is 
> OK if we use it with HTTPS, but doesn't seem to be very interoperable. 
>  
> Dave 
> 
> -Original Message- 
> From: Bill Barker [mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> ] 
> Sent: Sat 08/03/2003 07:07 
> To: [EMAIL PROTECTED] 
> Cc: 
> Subject: Re: Can Tomcat do client certificate authentication ? 
> 
> 
> 
> The choice of going to SSL-CERT auth puts a huge burden on your IT staff. 
> You've got to collect all of your client's certs, and manage them
(including 
> 
> renewals, revocations, et. al.).  Except for small closed-groups, it is 
> almost always not worth the trouble. 
> 
> Which headaches you want really depend on your configuration.  The methods

> are different if you are using Apache/IIS/iPlanet in front of Tomcat, or
if 
> you are using Tomcat-Stand-Alone. 
> 
> <[EMAIL PROTECTED]> wrote in message 
>
news:[EMAIL PROTECTED]
<news:[EMAIL PROTECTED]
n>  
>
<news:[EMAIL PROTECTED]

> n>  
> et... 
> > Within our company we've decided to use client certificates for
security. 
> > I've spent all week trying to get this working on Tomcat. If the client 
> and 
> > server are on the same machine it's easy. But how do I do it if the
client 
> 
> > is on a different machine ? I can get SSL working on HTTPS no problem,
but 
> 
> > client certificates ? No way. 
> > 
> > If we can't find an answer we'll have to ban the use of Tomcat in our 
> > company for any serious work. 
> > 
> > Dave 
> 
> 
> 
> 
> - 
> To unsubscribe, e-mail: [EMAIL PROTECTED] 
> For additional commands, e-mail: [EMAIL PROTECTED] 
> 
> 
> 
> __ 
> 
> - 
> To unsubscribe, e-mail: [EMAIL PROTECTED] 
> For additional commands, e-mail: [EMAIL PROTECTED] 


- 
To unsubscribe, e-mail: [EMAIL PROTECTED] 
For additional commands, e-mail: [EMAIL PROTECTED] 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Can Tomcat do client certificate authentication ?

2003-03-08 Thread Tarun Ramakrishna Elankath

How about Digest authentication ?

On Sat, 2003-03-08 at 15:19, [EMAIL PROTECTED] wrote:
> I'm using Tomcat 4.1.18 standalone. We need client certificates to work
> across all our platforms. With Microsoft its easy, with Tomcat we just can't
> seem to do it.
>  
> We've looked at many different methods of security. Basic Authentication is
> OK if we use it with HTTPS, but doesn't seem to be very interoperable.
>  
> Dave
> 
> -Original Message- 
> From: Bill Barker [mailto:[EMAIL PROTECTED] 
> Sent: Sat 08/03/2003 07:07 
> To: [EMAIL PROTECTED] 
> Cc: 
> Subject: Re: Can Tomcat do client certificate authentication ?
> 
> 
> 
> The choice of going to SSL-CERT auth puts a huge burden on your IT staff. 
> You've got to collect all of your client's certs, and manage them (including
> 
> renewals, revocations, et. al.).  Except for small closed-groups, it is 
> almost always not worth the trouble. 
> 
> Which headaches you want really depend on your configuration.  The methods 
> are different if you are using Apache/IIS/iPlanet in front of Tomcat, or if 
> you are using Tomcat-Stand-Alone. 
> 
> <[EMAIL PROTECTED]> wrote in message 
> news:[EMAIL PROTECTED]
> <news:[EMAIL PROTECTED]
> n>  
> et... 
> > Within our company we've decided to use client certificates for security. 
> > I've spent all week trying to get this working on Tomcat. If the client 
> and 
> > server are on the same machine it's easy. But how do I do it if the client
> 
> > is on a different machine ? I can get SSL working on HTTPS no problem, but
> 
> > client certificates ? No way. 
> > 
> > If we can't find an answer we'll have to ban the use of Tomcat in our 
> > company for any serious work. 
> > 
> > Dave 
> 
> 
> 
> 
> - 
> To unsubscribe, e-mail: [EMAIL PROTECTED] 
> For additional commands, e-mail: [EMAIL PROTECTED] 
> 
> 
> 
> __
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: Client Authentication

2003-03-08 Thread Mario Ivkovic

>Have you got it working across more than one box?

Yes


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Client Authentication

2003-03-08 Thread dave . prout

Have you got it working across more than one box, or is client and server on
the same machine ?

-Original Message- 
From: Mario Ivkovic [mailto:[EMAIL PROTECTED] 
Sent: Sat 08/03/2003 12:08 
To: 'Tomcat Users List' 
Cc: 
Subject: AW: Client Authentication




I just uncomment this in server.xml: 

 
   
 


-Ursprüngliche Nachricht- 
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
] 
Gesendet: Samstag, 8. März 2003 12:32 
An: [EMAIL PROTECTED] 
Betreff: RE: Client Authentication 

How do you configure Tomcat to do client authentication at all ? How do use 
specify the truststore on the Tomcat server ? 


- 
To unsubscribe, e-mail: [EMAIL PROTECTED] 
For additional commands, e-mail: [EMAIL PROTECTED] 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: Client Authentication

2003-03-08 Thread Mario Ivkovic


I just uncomment this in server.xml:


  



-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Gesendet: Samstag, 8. März 2003 12:32
An: [EMAIL PROTECTED]
Betreff: RE: Client Authentication

How do you configure Tomcat to do client authentication at all ? How do use
specify the truststore on the Tomcat server ?


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Client Authentication

2003-03-08 Thread dave . prout

How do you configure Tomcat to do client authentication at all ? How do use
specify the truststore on the Tomcat server ?

-Original Message- 
From: Mario Ivkovic [mailto:[EMAIL PROTECTED] 
Sent: Sat 08/03/2003 11:21 
To: [EMAIL PROTECTED] 
Cc: 
Subject: Client Authentication



Hi, 

how can i configure tomcat to get client authentication just for one 
specified context? 

Example: 

https://localhost/withClientAuth <https://localhost/withClientAuth>  

https://localhost/noClientAuth <https://localhost/noClientAuth>  


- 
To unsubscribe, e-mail: [EMAIL PROTECTED] 
For additional commands, e-mail: [EMAIL PROTECTED] 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Client Authentication

2003-03-08 Thread Mario Ivkovic

Hi,

how can i configure tomcat to get client authentication just for one
specified context?

Example:

https://localhost/withClientAuth

https://localhost/noClientAuth


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Can Tomcat do client certificate authentication ?

2003-03-08 Thread dave . prout

I'm using Tomcat 4.1.18 standalone. We need client certificates to work
across all our platforms. With Microsoft its easy, with Tomcat we just can't
seem to do it.
 
We've looked at many different methods of security. Basic Authentication is
OK if we use it with HTTPS, but doesn't seem to be very interoperable.
 
Dave

-Original Message- 
From: Bill Barker [mailto:[EMAIL PROTECTED] 
Sent: Sat 08/03/2003 07:07 
To: [EMAIL PROTECTED] 
Cc: 
Subject: Re: Can Tomcat do client certificate authentication ?



The choice of going to SSL-CERT auth puts a huge burden on your IT staff. 
You've got to collect all of your client's certs, and manage them (including

renewals, revocations, et. al.).  Except for small closed-groups, it is 
almost always not worth the trouble. 

Which headaches you want really depend on your configuration.  The methods 
are different if you are using Apache/IIS/iPlanet in front of Tomcat, or if 
you are using Tomcat-Stand-Alone. 

<[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]
<news:[EMAIL PROTECTED]
n>  
et... 
> Within our company we've decided to use client certificates for security. 
> I've spent all week trying to get this working on Tomcat. If the client 
and 
> server are on the same machine it's easy. But how do I do it if the client

> is on a different machine ? I can get SSL working on HTTPS no problem, but

> client certificates ? No way. 
> 
> If we can't find an answer we'll have to ban the use of Tomcat in our 
> company for any serious work. 
> 
> Dave 




- 
To unsubscribe, e-mail: [EMAIL PROTECTED] 
For additional commands, e-mail: [EMAIL PROTECTED] 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Can Tomcat do client certificate authentication ?

2003-03-07 Thread Bill Barker

The choice of going to SSL-CERT auth puts a huge burden on your IT staff.
You've got to collect all of your client's certs, and manage them (including
renewals, revocations, et. al.).  Except for small closed-groups, it is
almost always not worth the trouble.

Which headaches you want really depend on your configuration.  The methods
are different if you are using Apache/IIS/iPlanet in front of Tomcat, or if
you are using Tomcat-Stand-Alone.

<[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
et...
> Within our company we've decided to use client certificates for security.
> I've spent all week trying to get this working on Tomcat. If the client
and
> server are on the same machine it's easy. But how do I do it if the client
> is on a different machine ? I can get SSL working on HTTPS no problem, but
> client certificates ? No way.
>
> If we can't find an answer we'll have to ban the use of Tomcat in our
> company for any serious work.
>
> Dave




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Apache-Basic Authentication How To

2003-03-07 Thread Manu Kits

Hello,

I am using Apache 1.3.26 on IBM AIX

I want to implement Basic Authentication on Apache (Ref: htpasswd)

I have 2 users with their respective directories:
-
USER NAME   HOME DIR public_html
-
BILL/home/bill/home/bill/public_html
GATES   /home/gates   /home/gates/public_html
I want to IMPLEMENT Basic Authentication for User BILL and NO Authentication 
for user GATES.
How can I do that - is it possible to have Basic Authentication for User 
BILL and NO Authentication for User GATES?

This is what I have done
---

   Options +FollowSymLinks
   AllowOverride All
   Order allow,deny
   Allow from all

 BASIC AUTHENTICATION for USER BILL 


   Options +FollowSymLinks +SymLinksIfOwnerMatch +Indexes
   Order allow,deny
   Allow from all
   AllowOverride All
   AllowOverride AuthConfig
   AuthType Basic
   AuthName "By Invitation Only"
   AuthUserFile /usr/local/apache2003/passwd/apache_password
   Require valid-user

 NO AUTHENTICATION for USER GATES 


   Options +FollowSymLinks +SymLinksIfOwnerMatch +Indexes
   Order allow,deny
   Allow from all

---
THANKS!

Manu







_
STOP MORE SPAM with the new MSN 8 and get 2 months FREE*  
http://join.msn.com/?page=features/junkmail

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Can Tomcat do client certificate authentication ?

2003-03-07 Thread dave . prout

Within our company we've decided to use client certificates for security.
I've spent all week trying to get this working on Tomcat. If the client and
server are on the same machine it's easy. But how do I do it if the client
is on a different machine ? I can get SSL working on HTTPS no problem, but
client certificates ? No way.
 
If we can't find an answer we'll have to ban the use of Tomcat in our
company for any serious work.
 
Dave

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: mod_ssl/mod_jk failure with client authentication on

2003-03-07 Thread Aaron Stromas

I realised that I included irrelevant log snipet from the SSL log. Please
see the correction below.

Aaron Stromas said:
> Hi,
>
> I apologise for cross-posting - I'm really not sure which component is
> at fault, looks like mod_ssl but possibly mod_jk. BTW, is there a list
> (or some other venue) dedicated to mod_jk?
>
> My environment is Apache 1.3.22, mod_ssl 2.8.5, OpenSSL 0.9.6b, tomcat
> 4.0.3. I have a servlet mounted like this
>
> JkMount /app/servlet/* ajp13
> JkMount /app/*.jsp ajp13
> 
>SSLVerifyClient require
>SSLVerifyDepth  4
> 
>
> When SSLVerifyClient is set to 'none' all works fine, but when I set it
> as above, to 'require', it seems that the SSL connection is repetedly
> renegotiated. The mod_jk log stop at this line (I edited out log entry
> headers for clarity):
>
> Attempting to map URI '/app/servlet/ApplicationProxyServlet'
> jk_uri_worker_map_t::map_uri_to_worker, Found a context match ajp13 ->
> /app/servlet/
>
> whilst the ssl engine log shows this
> Connection to child 3 established (server
> www-sps.sps.fms.treas.gov:443, client 164.95.119.43)
> Seeding PRNG with 1160 bytes of entropy
> OpenSSL: Handshake: start
> OpenSSL: Loop: before/accept initialization
> Inter-Process Session Cache: request=GET status=FOUND
> id=7A2A7121DDC60F144CA9F233A19E7BD7D88F0DCA06AEB588165EB9F01CA276DE
> (session reuse)
> OpenSSL: Loop: SSLv3 read client hello A
> OpenSSL: Loop: SSLv3 write server hello A
> OpenSSL: Loop: SSLv3 write change cipher spec A
> OpenSSL: Loop: SSLv3 write finished A
> OpenSSL: Loop: SSLv3 flush data
> OpenSSL: Loop: SSLv3 read finished A
> OpenSSL: Handshake: done
> Connection: Client IP: 164.95.119.43, Protocol: SSLv3, Cipher:
> EXP1024-RC4-SHA (56/128 bits)
> Initial (No.1) HTTPS request received for child 3 (server
> www-sps.sps.fms.treas.gov:443)
> OpenSSL: Write: SSL negotiation finished successfully
> Connection to child 3 closed with standard shutdown (server
> www-sps.sps.fms.treas.gov:443, client 164.95.119.43)
> Connection to child 4 established (server
> www-sps.sps.fms.treas.gov:443, client 164.95.119.43)
> Seeding PRNG with 1160 bytes of entropy
> OpenSSL: Handshake: start
> OpenSSL: Loop: before/accept initialization
> [Connection to child 5 established (server
> www-sps.sps.fms.treas.gov:443, client 164.95.119.43)
> Seeding PRNG with 1160 bytes of entropy
> OpenSSL: Handshake: start
> OpenSSL: Loop: before/accept initialization
> OpenSSL: Loop: SSLv3 read client hello A
> OpenSSL: Loop: SSLv3 write server hello A
> OpenSSL: Loop: SSLv3 write certificate A
> OpenSSL: Loop: SSLv3 write key exchange A
> OpenSSL: Loop: SSLv3 write server done A
> OpenSSL: Loop: SSLv3 flush data
> OpenSSL: Loop: SSLv3 read client key exchange A
> OpenSSL: Loop: SSLv3 read finished A
> OpenSSL: Loop: SSLv3 write change cipher spec A
> OpenSSL: Loop: SSLv3 write finished A
> OpenSSL: Loop: SSLv3 flush data
> 
  [ more SSL handshake]

OpenSSL: Handshake: done
Connection: Client IP: 164.95.119.43, Protocol: TLSv1, Cipher:
EDH-RSA-DES-CBC3-SHA (168/168 bits)
Initial (No.1) HTTPS request received for child 1 (server
www-sps.sps.fms.treas.gov:443)
Changed client verification type will force renegotiation
Requesting connection re-negotiation
Performing full renegotiation: complete handshake protocol
OpenSSL: Write: SSL negotiation finished successfully
Connection to child 0 closed with standard shutdown (server
www-sps.sps.fms.treas.gov:443, client 164.95.119.43)
I/O: sucked 4708 bytes of input data from SSL/TLS I/O layer for delayed
injection into Apache I/O layer
OpenSSL: Handshake: start
OpenSSL: Loop: SSL renegotiate ciphers
OpenSSL: Loop: SSLv3 write hello request A
OpenSSL: Loop: SSLv3 flush data
Awaiting re-negotiation handshake
OpenSSL: Handshake: start
OpenSSL: Loop: before accept initialization
Inter-Process Session Cache: request=REM status=OK
id=38B1D98C2B4A6384FA080BDD4374ACE13881B23AD58834437874A1F03733FCFE (session
dead)
Write: SSLv3 read client hello B
OpenSSL: Exit: error in SSLv3 read client hello B
Re-negotiation handshake failed: Not accepted by client!?
I/O: injecting 4708 bytes of pre-sucked data into Apache I/O layer
OpenSSL: Write: SSLv3 read client hello B
OpenSSL: Exit: error in SSLv3 read client hello B
SSL error on writing data (OpenSSL library error follows)
OpenSSL: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
Connection to child 1 closed with standard shutdown (server
www-sps.sps.fms.treas.gov:443, client 164.95.119.43)


>
>
> In contrast, when SSLVerifyClient is 'none', mod_jk log shows
>
> Attempting to map URI '/app/servlet/ApplicationProxyServlet'
> jk_uri_worker_map_t::map_uri_to_worker, Found a context match ajp13 ->
> /app/servlet/
> Into wc_get_worker_for_name ajp13
> wc_get_worker_for_name, done  found a worker
> Into jk_worker_t::get_endpoint
> In jk_endpoint_t::ajp_get_endpoint, time elapsed since last request =
> 534 seconds
> Into jk_endpoint_t::service
> Into ajp_marshal_into_msgb
> ajp_marshal_into_msgb -

mod_ssl/mod_jk failure with client authentication on

2003-03-07 Thread Aaron Stromas

Hi,

I apologise for cross-posting - I'm really not sure which component is at
fault, looks like mod_ssl but possibly mod_jk. BTW, is there a list (or some
other venue) dedicated to mod_jk?

My environment is Apache 1.3.22, mod_ssl 2.8.5, OpenSSL 0.9.6b, tomcat 4.0.3.
I have a servlet mounted like this

JkMount /app/servlet/* ajp13
JkMount /app/*.jsp ajp13

SSLVerifyClient require
SSLVerifyDepth  4


When SSLVerifyClient is set to 'none' all works fine, but when I set it as
above, to 'require', it seems that the SSL connection is repetedly
renegotiated. The mod_jk log stop at this line (I edited out log entry
headers for clarity):

Attempting to map URI '/app/servlet/ApplicationProxyServlet'
jk_uri_worker_map_t::map_uri_to_worker, Found a context match ajp13 ->
/app/servlet/

whilst the ssl engine log shows this
Connection to child 3 established (server www-sps.sps.fms.treas.gov:443,
client 164.95.119.43)
Seeding PRNG with 1160 bytes of entropy
OpenSSL: Handshake: start
OpenSSL: Loop: before/accept initialization
Inter-Process Session Cache: request=GET status=FOUND
id=7A2A7121DDC60F144CA9F233A19E7BD7D88F0DCA06AEB588165EB9F01CA276DE (session
reuse)
OpenSSL: Loop: SSLv3 read client hello A
OpenSSL: Loop: SSLv3 write server hello A
OpenSSL: Loop: SSLv3 write change cipher spec A
OpenSSL: Loop: SSLv3 write finished A
OpenSSL: Loop: SSLv3 flush data
OpenSSL: Loop: SSLv3 read finished A
OpenSSL: Handshake: done
Connection: Client IP: 164.95.119.43, Protocol: SSLv3, Cipher:
EXP1024-RC4-SHA (56/128 bits)
Initial (No.1) HTTPS request received for child 3 (server
www-sps.sps.fms.treas.gov:443)
OpenSSL: Write: SSL negotiation finished successfully
Connection to child 3 closed with standard shutdown (server
www-sps.sps.fms.treas.gov:443, client 164.95.119.43)
Connection to child 4 established (server www-sps.sps.fms.treas.gov:443,
client 164.95.119.43)
Seeding PRNG with 1160 bytes of entropy
OpenSSL: Handshake: start
OpenSSL: Loop: before/accept initialization
[Connection to child 5 established (server www-sps.sps.fms.treas.gov:443,
client 164.95.119.43)
Seeding PRNG with 1160 bytes of entropy
OpenSSL: Handshake: start
OpenSSL: Loop: before/accept initialization
OpenSSL: Loop: SSLv3 read client hello A
OpenSSL: Loop: SSLv3 write server hello A
OpenSSL: Loop: SSLv3 write certificate A
OpenSSL: Loop: SSLv3 write key exchange A
OpenSSL: Loop: SSLv3 write server done A
OpenSSL: Loop: SSLv3 flush data
OpenSSL: Loop: SSLv3 read client key exchange A
OpenSSL: Loop: SSLv3 read finished A
OpenSSL: Loop: SSLv3 write change cipher spec A
OpenSSL: Loop: SSLv3 write finished A
OpenSSL: Loop: SSLv3 flush data



In contrast, when SSLVerifyClient is 'none', mod_jk log shows

Attempting to map URI '/app/servlet/ApplicationProxyServlet'
jk_uri_worker_map_t::map_uri_to_worker, Found a context match ajp13 ->
/app/servlet/
Into wc_get_worker_for_name ajp13
wc_get_worker_for_name, done  found a worker
Into jk_worker_t::get_endpoint
In jk_endpoint_t::ajp_get_endpoint, time elapsed since last request = 534
seconds
Into jk_endpoint_t::service
Into ajp_marshal_into_msgb
ajp_marshal_into_msgb - Done
sending to ajp13 #261
ajp_send_request 2: request body to send 4708 - request body to resend 0
sending to ajp13 #4714
received from ajp13 #3
sending to ajp13 #4
received from ajp13 #3
sending to ajp13 #4
received from ajp13 #49
ajp_unmarshal_response: status = 200
ajp_unmarshal_response: Number of headers is = 2
ajp_unmarshal_response: Header[0] [Content-Type] = [application/octet-stream]
ajp_unmarshal_response: Header[1] [Content-Length] = [17776]
received from ajp13 #1028
received from ajp13 #1028
received from ajp13 #1028
received from ajp13 #1028
received from ajp13 #1028
received from ajp13 #1028
received from ajp13 #1028
received from ajp13 #1028
received from ajp13 #1028
...

and the SSL engine log shows

Connection to child 1 established (server www-sps.sps.fms.treas.gov:443,
client 164.95.119.43)
Seeding PRNG with 1160 bytes of entropy
OpenSSL: Handshake: start
OpenSSL: Loop: before/accept initialization
OpenSSL: Loop: SSLv3 read client hello A
OpenSSL: Loop: SSLv3 write server hello A
OpenSSL: Loop: SSLv3 write certificate A
OpenSSL: Loop: SSLv3 write key exchange A
OpenSSL: Loop: SSLv3 write server done A
OpenSSL: Loop: SSLv3 flush data
OpenSSL: Loop: SSLv3 read client key exchange A
OpenSSL: Loop: SSLv3 read finished A
OpenSSL: Loop: SSLv3 write change cipher spec A
OpenSSL: Loop: SSLv3 write finished A
OpenSSL: Loop: SSLv3 flush data
Inter-Process Session Cache: request=SET status=OK
id=7D883EF0B18F9E84BC57C4F02C6E34ADF6FF049BB7091F16B303B79AC906832B
timeout=295s (session caching)
OpenSSL: Handshake: done
Connection: Client IP: 164.95.119.43, Protocol: TLSv1, Cipher:
EDH-RSA-DES-CBC3-SHA (168/168 bits)
Initial (No.1) HTTPS request received for child 1 (server
www-sps.sps.fms.treas.gov:443)
OpenSSL: Write: SSL negotiation finished successfully
Connection to child 1 closed with standard shutdown (server
www-sps.sps.f

SSL client authentication with mod_ssl+mod_jk

2003-03-06 Thread Aaron Stromas

Hi,

If somebody has a working client SSL authentication for Apache 1.3.*,
mod_ssl/mod_jk, i.e., ajp mounts that require client certificate
(SSLVerifyClient require), I'd be very grateful to see the appropriate
pieces of configuration files. Thank you.

-a
-- 
Aaron Stromas | "Tik-tik-tik!!!... ja, Pantani is weg..."
[EMAIL PROTECTED]| BRTN commentator
+1 (301) 493 4933 | L'Alpe d'Huez
http://www.izoard.com | 1995 Tour de France




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

CLIENT CERT AUTHENTICATION with JDNI- or JDBCReal

2003-03-02 Thread Patrick Flohr

Hello,

im using tomcat 4.1.18 on WinXP with MemoryRealm based CLIENT CERT 
AUTHENTICATION and want to use LDAP- or JDBCRealm for client authentication.

Password authentication works on both, LDAP(openLDAP) and DB(MS SQL7).

Did someone managed to setup this authentication method with mentioned 
realms, or knows where to find additional information.

Thanks in advandce

Patrick Flohr

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Two Realms for client authentication

2003-02-28 Thread Manuel Gil Perez

Hi.

Can I use two Realms for client authentication?? I would like to define a 
set of servlets that uses a Realm and another set of sevlets that uses 
another Realm. Can I make this??

Regards.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Two Realms for client authentication

2003-02-28 Thread Donald Ball

On 2/28/2003 at 5:25 PM Gil wrote:

>Can I use two Realms for client authentication?? I would like to define a 
>set of servlets that uses a Realm and another set of sevlets that uses 
>another Realm. Can I make this??

In the same webapp? I don't think so. I think you have a few choices:

1. split the servlets into two webapps, each which its own Realm. annoying
and pedantic.

2. Write your own Realm which acts as a front-end to the two real Realms
and dispatches authentication requests to one or the other based on some
criteria... don't know if Realms get enough information to make this
decision though.

3. you might check out the securityfilter project:

http://securityfilter.sourceforge.net/

they're trying to mitigate some of the portability problems associated with
CMS by bundling the security into the webapps themselves. interesting
approach, might work for you.

- donald

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Two Realms for client authentication

2003-02-28 Thread Gil

Hi.

Can I use two Realms for client authentication?? I would like to define a 
set of servlets that uses a Realm and another set of sevlets that uses 
another Realm. Can I make this??

Regards. 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Authentication from user xml file

2003-02-26 Thread vikas yk

Hi

In tomcat user xml file I have given password="" .
While entering the application its not allowing me to log in if i 
dont give any password(blank password).
It works if I give i some value in user xml file 
password="xyz..".
Is it that null values are not allowed or i am doing something 
wrong

Please advice

On Thu, 27 Feb 2003 Steve Hole wrote :
On Wed, 26 Feb 2003 11:21:21 -0800 (PST) Steve Guo 
<[EMAIL PROTECTED]>
wrote:

> You tried to make it simple, but actually made it 
complicated.
> Your webapp is simple, so you should invoke the servlet by:
> localhost:8080/simple/simple
> localhost:8080/simple/servlet/simple

That was the trick.

This implies that the  element defines the name 
of the
web application?

> Naming all the same tends to confuse users (not sure confuses 
Tomcat or
> not). Why not try:
> 'test' for the webapp
> 'Simple' for the servlet
> 'simple' for the servlet name in web.xml
> then you will invoke by
> http://localhost:8080/test/servlet/Simple or
> http://localhost:8080/test/servlet/simple or
> http://localhost:8080/test/simple

So what does the web.xml look like for the above?   Something 
like:

 simple
 Simple>

 simple
 /test

In otherwords, I assumed the  element linked the 

and  elements.   Is that true?  The 
documentation for the
servlet-mapping functionality is not exactly great and there is 
no
documentation on the default mapping rules at all that I could 
find.

Anyway, thanks for the help.

Cheers.

---
Steve Hole
Chief Technology Officer - Billing and Payment Systems
ACI Worldwide

Phone: 780-424-4922
-
To unsubscribe, e-mail: 
[EMAIL PROTECTED]
For additional commands, e-mail: 
[EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

How to use Java to connect to Apache Server Via SSL with Client Authentication

2003-02-25 Thread Kwan Hon Luen

Hi ,

I can use java to connect to apache server via SSL without client
authentication.
Just use
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.ww
w.protocol");

In trying to connect to the apache via SSL with client authentication, I do
the following:

Using keytool, I generated the java client keystore which consists of the
java client private key and cert wrapped public key.
In addition, I use keytool to generate a CSR from this keystore.
This CSR is then signed by the CA using Openssl toolkit, generating the
signed certificate.
I then import the signed certificate into both java client keystore and
cacerts.

I then added the following two lines to the code:

  System.setProperty("javax.net.ssl.keyStore","D:\\keystore\\.keystore");
  System.setProperty("javax.net.ssl.keyStorePassword","changeit");

But I get this error, DOES anyone know how to solve this problem??


java.net.SocketException: Connection aborted by peer: socket write error
at java.net.SocketOutputStream.socketWrite(Native Method)
at java.net.SocketOutputStream.write(SocketOutputStream.java:91)
at com.sun.net.ssl.internal.ssl.OutputRecord.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(DashoA6275)
at
com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(DashoA62
75)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.c(DashoA6275)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a(DashoA6275)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(DashoA62
75)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
at java.io.OutputStream.write(OutputStream.java:56)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)

at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.doConnect(Das
hoA6275)
at
com.sun.net.ssl.internal.www.protocol.https.NetworkClient.openServer(
DashoA6275)
at
com.sun.net.ssl.internal.www.protocol.https.HttpClient.l(DashoA6275)
at
com.sun.net.ssl.internal.www.protocol.https.HttpClient.(DashoA6
275)
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.(DashoA
6275)
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a(DashoA6275)

at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a(DashoA6275)

at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connec
t(DashoA6275)
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInp
utStream(DashoA6275)
at ssl.main(ssl.java:30)

__
Do You Yahoo!?
Promote your business from just $5 a month!
http://sg.biztools.yahoo.com

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Authentication and Roles - case sensitivity

2003-02-25 Thread Craig R. McClanahan

On Tue, 25 Feb 2003, Raible, Matt wrote:

> Date: Tue, 25 Feb 2003 13:59:20 -0700
> From: "Raible, Matt" <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: 'Tomcat Users List' <[EMAIL PROTECTED]>
> Subject: RE: Authentication and Roles - case sensitivity
>
>
>
> > Tomcat is case sensitive everywhere except where the servlet
> > spec says it
> > is explicitly not case sensitive (such as request.getHeader()).  That
> > includes things like matching role names.
>
> So you're saying that matching role names is NOT case sensitive.

No, I'm saying that it *is* case sensitive -- the only places Tomcat is
not case sensitive is where this is *explicitly* documented.

  I'm
> guessing this from my own experience on 4.1.18.  However, since
> request.isUserInRole() IS case sensitive, how can I do matching in a NON
> case sensitive way.  Too bad there isn't a request.isUserInRoleIgnoreCase()
> ;-)

Sounds like a chance to create your very own custom patches to Tomcat ...
but I'd strongly recommend that you either make your app use the roles
that are defined by your Realm implementation "as is", or go change
your Realm to return the role names in the case expected by your app.

>
> Thanks for any tips.
>
> Matt
>

Craig

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Authentication and Roles - case sensitivity

2003-02-25 Thread Shapira, Yoav


Howdy,

>> Tomcat is case sensitive everywhere except where the servlet
>> spec says it
>> is explicitly not case sensitive (such as request.getHeader()).  That
>> includes things like matching role names.
>
>So you're saying that matching role names is NOT case sensitive.  I'm
>guessing this from my own experience on 4.1.18.  However, since
>request.isUserInRole() IS case sensitive, how can I do matching in a
NON
>case sensitive way.  Too bad there isn't a
request.isUserInRoleIgnoreCase()

I think Craig was saying tomcat should be case insensitive here.
Therefore, a good course of action would be for you to submit a patch to
the relevant class in tomcat which modifies the isUserInRole
implementation to ignore case.

Yoav Shapira
Millennium ChemInformatics



This e-mail, including any attachments, is a confidential business communication, and 
may contain information that is confidential, proprietary and/or privileged.  This 
e-mail is intended only for the individual(s) to whom it is addressed, and may not be 
saved, copied, printed, disclosed or used by anyone else.  If you are not the(an) 
intended recipient, please immediately delete this e-mail from your computer system 
and notify the sender.  Thank you.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Authentication and Roles - case sensitivity

2003-02-25 Thread Raible, Matt



> Tomcat is case sensitive everywhere except where the servlet 
> spec says it
> is explicitly not case sensitive (such as request.getHeader()).  That
> includes things like matching role names.

So you're saying that matching role names is NOT case sensitive.  I'm
guessing this from my own experience on 4.1.18.  However, since
request.isUserInRole() IS case sensitive, how can I do matching in a NON
case sensitive way.  Too bad there isn't a request.isUserInRoleIgnoreCase()
;-)

Thanks for any tips.

Matt


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Authentication and Roles - case sensitivity

2003-02-25 Thread Craig R. McClanahan

On Tue, 25 Feb 2003, Raible, Matt wrote:

>
> The reason I ask this is b/c I'm developing a menu application that filters
> on roles and hides/shows menus based on a role name.  What should I do to
> mimic Tomcat's behavior?  Should I do an toUpperCase on the rolename and
> database role?
>
> What does Tomcat do?
>

Tomcat is case sensitive everywhere except where the servlet spec says it
is explicitly not case sensitive (such as request.getHeader()).  That
includes things like matching role names.

> Thanks,
>
> Matt

Craig

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Authentication and Roles - case sensitivity

2003-02-25 Thread Raible, Matt

I have the following security role in my web.xml file:


Role to allow authentication
Administrator


In my JDBCRealm, I have role_name defined for the user as:

USERID  ROLENAME
-
tomcat  ADMINISTRATOR


You can see that the role's case does not match.  If I add the following to
one of my filters:

log.debug("isUserInRole('Administrator'): " +
request.isUserInRole("Administrator"));
log.debug("isUserInRole('administrator'): " +
request.isUserInRole("administrator"));
log.debug("isUserInRole('ADMINISTRATOR'): " +
request.isUserInRole("ADMINISTRATOR"));

I get:

isUserInRole('Administrator'): false
isUserInRole('administrator'): false
isUserInRole('ADMINISTRATOR'): true

The reason I ask this is b/c I'm developing a menu application that filters
on roles and hides/shows menus based on a role name.  What should I do to
mimic Tomcat's behavior?  Should I do an toUpperCase on the rolename and
database role?  

What does Tomcat do?

Thanks,

Matt



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: LDAP Authentication

2003-02-25 Thread Marcelino Cruz

Now that I've set my JNDIRealm, I get this stack trace while starting
Tomcat...

---

Feb 25, 2003 10:13:32 AM org.apache.commons.modeler.Registry loadRegistry
INFO: Loading registry information
Feb 25, 2003 10:13:32 AM org.apache.commons.modeler.Registry getRegistry
INFO: Creating new Registry instance
Feb 25, 2003 10:13:34 AM org.apache.commons.modeler.Registry getServer
INFO: Creating MBeanServer
Feb 25, 2003 10:13:35 AM org.apache.commons.digester.Digester startElement
SEVERE: Begin event threw exception
java.lang.NullPointerException
at
org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLoader
.java:905)
at
org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLoader
.java:857)
at
org.apache.commons.digester.ObjectCreateRule.begin(ObjectCreateRule.java:252
)
at
org.apache.commons.digester.Digester.startElement(Digester.java:1237)
at
org.apache.xerces.parsers.AbstractSAXParser.startElement(AbstractSAXParser.j
ava:459)
at
org.apache.xerces.parsers.AbstractXMLDocumentParser.emptyElement(AbstractXML
DocumentParser.java:221)
at
org.apache.xerces.impl.XMLNamespaceBinder.emptyElement(XMLNamespaceBinder.ja
va:595)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDo
cumentFragmentScannerImpl.java:747)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatc
her.dispatch(XMLDocumentFragmentScannerImpl.java:1477)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocume
ntFragmentScannerImpl.java:329)
at
org.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:525)
at
org.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:581)
at org.apache.xerces.parsers.XMLParser.parse(XMLParser.java:152)
at
org.apache.xerces.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:117
5)
at org.apache.commons.digester.Digester.parse(Digester.java:1495)
at org.apache.catalina.startup.Catalina.start(Catalina.java:449)
at org.apache.catalina.startup.Catalina.execute(Catalina.java:400)
at org.apache.catalina.startup.Catalina.process(Catalina.java:180)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39
)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl
.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:203)
Catalina.start: java.lang.NullPointerException
java.lang.NullPointerException
at
org.apache.commons.digester.Digester.createSAXException(Digester.java:2312)
at
org.apache.commons.digester.Digester.createSAXException(Digester.java:2332)
at
org.apache.commons.digester.Digester.startElement(Digester.java:1240)
Feb 25, 2003 10:13:32 AM org.apache.commons.modeler.Registry loadRegistry
INFO: Loading registry information
Feb 25, 2003 10:13:32 AM org.apache.commons.modeler.Registry getRegistry
INFO: Creating new Registry instance
Feb 25, 2003 10:13:34 AM org.apache.commons.modeler.Registry getServer
INFO: Creating MBeanServer
Feb 25, 2003 10:13:35 AM org.apache.commons.digester.Digester startElement
SEVERE: Begin event threw exception
java.lang.NullPointerException
at
org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLoader
.java:905)
at
org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLoader
.java:857)
at
org.apache.commons.digester.ObjectCreateRule.begin(ObjectCreateRule.java:252
)
at
org.apache.commons.digester.Digester.startElement(Digester.java:1237)
at
org.apache.xerces.parsers.AbstractSAXParser.startElement(AbstractSAXParser.j
ava:459)
at
org.apache.xerces.parsers.AbstractXMLDocumentParser.emptyElement(AbstractXML
DocumentParser.java:221)
at
org.apache.xerces.impl.XMLNamespaceBinder.emptyElement(XMLNamespaceBinder.ja
va:595)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDo
cumentFragmentScannerImpl.java:747)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatc
her.dispatch(XMLDocumentFragmentScannerImpl.j
ava:1477)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocume
ntFragmentScannerImpl.java:329)
at
org.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:525)
at
org.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:581)
at org.apache.xerces.parsers.XMLParser.parse(XMLParser.java:152)

- Original Message -
From: "Raible, Matt" <[EMAIL PROTECTED]>
To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
Sent: Tuesday, February 25, 2003 9:57 AM
Subject: RE: LDAP Authentication


>

RE: LDAP Authentication

2003-02-25 Thread Raible, Matt

Here's what I have in my context to make it work:

ldap://drevil:389";
userPassword="userPassword"
 userPattern="uid={0},ou=people,dc=raibledesigns,dc=com"
roleBase="ou=groups,dc=raibledesigns,dc=com"
roleName="cn"
  roleSearch="(uniqueMember={0})" />



> -Original Message-
> From: Marcelino Cruz [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, February 25, 2003 7:13 AM
> To: 'Tomcat Users List'
> Subject: LDAP Authentication
> 
> 
> Hello:
> 
> Does anyone here has LDAP authentication set up through a JNDIRealm in
> server.xml and could send me a sample server.xml for me to look at?
> 
> Thanks!
> 
> MC
> 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

LDAP Authentication

2003-02-25 Thread Marcelino Cruz

Hello:

Does anyone here has LDAP authentication set up through a JNDIRealm in server.xml and 
could send me a sample server.xml for me to look at?

Thanks!

MC

Re: Web browser authenticates to Tomcat Server using Client SSL authentication

2003-02-23 Thread Kwan Hon Luen

I use keytool to export the client certificate on its machine, and try to
import it using web browser. but it still does not get in the Personal
certificate store..

- Original Message -
From: "Bill Barker" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, February 22, 2003 3:20 PM
Subject: Re: Web browser authenticates to Tomcat Server using Client SSL
authentication


>
> "Kwan Hon Luen" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
> > Hi ,
> >
> > Have configured Tomcat to use SSL with client authentication set to
true.
> > Have imported client (which is the web browser IE) certificate to tomcat
> > server keystore.
> > But when I use IE to connect to Tomcat, it pops up a message box saying
> "The
> > Web site you want to view requests identification. Select the
certificate
> to
> > use when connecting." Problem is that there is no certificate displayed
to
> > select.
> >
> > Does anyone know how to solve this using the current setup ?
>
> Urm, err, you need to import the cert into IE as well (double-clicking and
> next, next, next... is usually enough).
>
> >
> > regards,
> > Hon Luen
> >
> > __
> > Do You Yahoo!?
> > Promote your business from just $5 a month!
> > http://sg.biztools.yahoo.com
>
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]

__
Do You Yahoo!?
Promote your business from just $5 a month!
http://sg.biztools.yahoo.com

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Web browser authenticates to Tomcat Server using Client SSL authentication

2003-02-21 Thread Bill Barker


"Kwan Hon Luen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Hi ,
>
> Have configured Tomcat to use SSL with client authentication set to true.
> Have imported client (which is the web browser IE) certificate to tomcat
> server keystore.
> But when I use IE to connect to Tomcat, it pops up a message box saying
"The
> Web site you want to view requests identification. Select the certificate
to
> use when connecting." Problem is that there is no certificate displayed to
> select.
>
> Does anyone know how to solve this using the current setup ?

Urm, err, you need to import the cert into IE as well (double-clicking and
next, next, next... is usually enough).

>
> regards,
> Hon Luen
>
> __
> Do You Yahoo!?
> Promote your business from just $5 a month!
> http://sg.biztools.yahoo.com




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Web browser authenticates to Tomcat Server using Client SSL authentication

2003-02-21 Thread Kwan Hon Luen

Hi ,

Have configured Tomcat to use SSL with client authentication set to true.
Have imported client (which is the web browser IE) certificate to tomcat
server keystore.
But when I use IE to connect to Tomcat, it pops up a message box saying "The
Web site you want to view requests identification. Select the certificate to
use when connecting." Problem is that there is no certificate displayed to
select.

Does anyone know how to solve this using the current setup ?

regards,
Hon Luen

__
Do You Yahoo!?
Promote your business from just $5 a month!
http://sg.biztools.yahoo.com

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Configuring JNDI LDAP Datasource - NOT USED FOR AUTHENTICATION

2003-02-20 Thread White, Joshua A (CASD, IT)

How can I declare an LDAP datasource in the server.xml file without the need
to use it for authentication.  The documentation I have read so far assumes
that I am using LDAP for authentication.  When looking at the datasources
section of the JNDI docs, it assumes a relational database.  Can someone
give me an example?

Joshua


This communication, including attachments, is for the exclusive use of 
addressee and may contain proprietary, confidential or privileged 
information. If you are not the intended recipient, any use, copying, 
disclosure, dissemination or distribution is strictly prohibited. If 
you are not the intended recipient, please notify the sender 
immediately by return email and delete this communication and destroy all copies.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

form authentication/ Context question

2003-02-18 Thread Barley

I have form-based authentication set up far enough that
if I request a protected resource, Tomcat redirects me
to the login page. When I submit the login page to
j_security_check, Tomcat gives me this 500 error:

No Context configured to process this request
The server encountered an internal error (No Context
configured to process this request) that prevented it
from fulfilling this request.

Does this mean that no Context is available to handle
the j_security_check? I guess I just don't understand
what the problem is at this point. Could this error
mean that the j_security_check is not authenticating?
Any advice would be very much appreciated.

Gregg


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat 3.2.1: Basic authentication and Win 2000

2003-02-18 Thread Ramkumar Krishnan

Hi Thomas,
I am also having a similiar problem in our system. I am
using HTTPClient jar as http client.Our product is running on tomcat
3.2.3+Apache1.3. (Windows NT)

1)Pls look at the following code.

HTTPConnection httpcon = new HTTPConnection(url);

httpcon.addBasicAuthorization("es","username","password");

even though the above code exists for Basic Authorization, it is still
popping up
java dialog box asking username and passoword.

Why the console popping up?..

2)here i set userinteraction to false and commented the authorization
code, now it is not popping up the java console.But the system running
properly and gets the required data without asking username and password.

   HTTPConnection httpcon = new HTTPConnection(url);
   httpcon.setAllowUserInteraction(false);

//httpcon.addBasicAuthorization("es","username","password");

How is it possible?..Is there security hole with the site?...

NOTE:
 I should enter username and password when i tried to access the
site thro browser.Otherwise it is throwing error.


Any help would be appreciated...

thanks,
Ramkumar

- Original Message -
From: "Thomas Muller" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, February 17, 2003 3:50 PM
Subject: Tomcat 3.2.1: Basic authentication and Win 2000


> Hi,
>
> When I try to apply basic authentication to an area, Win 2000 pops up with
a
> login dialog that requires windows credentials (or something). It seems
like
> Windows refuses do allow Tomcat to do authentication alone. Without any
> knowledge of Tomcat internals, I guess it's the AccessInterceptor that
> controls the behaviour (or at least tries to):
>
>  />
>
> I've tried to define the windows login credentials in tomcat-users.xml,
> allow the actual Tomcat service to run as that user etc etc. Nothing
helps.
> Can't log in.
>
> 
>
> 
> Protected Area
> /server/*
>   
>
>   
> mbxadmin
> 
>
> 
>
> 
> Thomas
>
>
>
>
>
>
> *
> Copyright ERA Technology Ltd. 2002. (www.era.co.uk). All rights reserved.
> The information supplied in this Commercial Communication should be
treated
> in confidence.
> No liability whatsoever is accepted for any loss or damage
> suffered as a result of accessing this message or any attachments.
>
> 
> This email has been scanned for all viruses by the MessageLabs SkyScan
> service. For more information on a proactive anti-virus service working
> around the clock, around the globe, visit http://www.messagelabs.com
> 
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

authentication fails at first

2003-02-17 Thread Udo Benz

Hi all
I am having a strange problem with authentication. If a user tries to 
login to the web site access is sometimes denied at first (this is not a 
mis-typed password).  Going back to the login page and typing the same 
username + password again works??
Did anyone have a similar problem?  Any help would be greatly appreciated.

I am using a Mysql table to authenticate users.


driverName="org.gjt.mm.mysql.Driver"
 connectionURL="jdbc:mysql://mysite/db"
 connectionName = "user"
 connectionPassword = "pass" digest="MD5"
 userTable="customer" userNameCol="userid" 
userCredCol="password"
 userRoleTable="user_roles" roleNameCol="role_name" />


Thanks
Udo



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Tomcat 3.2.1: Basic authentication and Win 2000

2003-02-17 Thread Thomas Muller

Hi,

When I try to apply basic authentication to an area, Win 2000 pops up with a
login dialog that requires windows credentials (or something). It seems like
Windows refuses do allow Tomcat to do authentication alone. Without any
knowledge of Tomcat internals, I guess it's the AccessInterceptor that
controls the behaviour (or at least tries to):



I've tried to define the windows login credentials in tomcat-users.xml,
allow the actual Tomcat service to run as that user etc etc. Nothing helps.
Can't log in.




Protected Area
/server/*



mbxadmin

Form Based Authentication through IIS

2003-02-14 Thread Robert Mclaren

I have a web-app configured to use form based authentication. The login
works fine when I go directly to Tomcat using port 8080. When I try to
go through IIS, I don't even get the login page. I get a tomcat error
page 403 - "Access to the requested resource has been denied".

I can get to all the pages that aren't in the protected directory via
IIS, so I assume the ISAPI filter is configured properly. I can go to
the login page directly, but when I submit, I get

"The requested resource (/jsp/security/j_security_check) is not
available"

Any help would be greatly appreciated.

Thanks

Robert McLaren

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Authentication problem with TOMCAT (4.0.4) and JAVA WEB START

2003-02-14 Thread [EMAIL PROTECTED]

Hi everyone !

I have a problem with Java Web Start (1.0.1) and Tomcat (4.0.4).

I'm trying to call my application via Web server Tomcat with 
restricting access.

My configuration is the following :

The deployment descriptor web.xml is:



http://java.sun.com/dtd/web-app_2_3.dtd";>


  
jar
application/java-archive
  
  
java
text/plain
  
  
jnlp
application/x-java-jnlp-file
  
  
JNLP
application/x-java-jnlp-file
  

  
  

Entire Application
/*



  
BASIC
MY APPL
  




And jnlp File is:

http://host:8080/Official/"; 
href="Application.jnlp"> 
 
Application release 0.10 
   
 
Application 
My Application 

 
 
 
 
 
 











 
 
 

With the above configuration the Java Web Start not work.
I'm expecting the message box for insert username and password instead 
it returns the messagge error :
An error occurred while launching/running the application.
Vendor: 
Category: Download Error
Unable to load resource: http://host:8080/Official/Application.jnlp

The Exception error is:
JNLPException[category: Download Error : Exception: 
java.lang.NullPointerException : LaunchDesc: null ]

at com.sun.javaws.cache.DownloadProtocol.doDownload(Unknown 
Source)

at 
com.sun.javaws.cache.DownloadProtocol.isLaunchFileUpdateAvailable
(Unknown Source)

at com.sun.javaws.LaunchDownload.getUpdatedLaunchDesc(Unknown 
Source)

at com.sun.javaws.Launcher.downloadResources(Unknown Source)

at com.sun.javaws.Launcher.handleApplicationDesc(Unknown Source)

at com.sun.javaws.Launcher.handleLaunchFile(Unknown Source)

at com.sun.javaws.Launcher.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)




I have tried to remove the restrict access in the deployment descriptor 
(web.xml) and java Web Start WORKS !! 


I'll appreciate any idea or hint!
 Thanks in advance



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Authentication problem with TOMCAT (4.0.4) and JAVA WEB START

2003-02-14 Thread [EMAIL PROTECTED]

Hi everyone !

I have a problem with Java Web Start (1.0.1) and Tomcat (4.0.4).

I'm trying to call my application via Web server Tomcat with 
restricting access.

My configuration is the following :

The deployment descriptor web.xml is:



http://java.sun.com/dtd/web-app_2_3.dtd";>


  
jar
application/java-archive
  
  
java
text/plain
  
  
jnlp
application/x-java-jnlp-file
  
  
JNLP
application/x-java-jnlp-file
  

  
  

Entire Application
/*



  
BASIC
MY APPL
  




And jnlp File is:

http://host:8080/Official/"; 
href="Application.jnlp"> 
 
Application release 0.10 
   
 
Application 
My Application 

 
 
 
 
 
 











 
 
 

With the above configuration the Java Web Start not work.
I'm expecting the message box for insert username and password instead 
it returns the messagge error :
An error occurred while launching/running the application.
Vendor: 
Category: Download Error
Unable to load resource: http://host:8080/Official/Application.jnlp

The Exception error is:
JNLPException[category: Download Error : Exception: 
java.lang.NullPointerException : LaunchDesc: null ]

at com.sun.javaws.cache.DownloadProtocol.doDownload(Unknown 
Source)

at 
com.sun.javaws.cache.DownloadProtocol.isLaunchFileUpdateAvailable
(Unknown Source)

at com.sun.javaws.LaunchDownload.getUpdatedLaunchDesc(Unknown 
Source)

at com.sun.javaws.Launcher.downloadResources(Unknown Source)

at com.sun.javaws.Launcher.handleApplicationDesc(Unknown Source)

at com.sun.javaws.Launcher.handleLaunchFile(Unknown Source)

at com.sun.javaws.Launcher.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)




I have tried to remove the restrict access in the deployment descriptor 
(web.xml) and java Web Start WORKS !! 


I'll appreciate any idea or hint!
 Thanks in advance



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Tomcat 4.1.12 Form authentication with IIS 5

2003-02-14 Thread Paul Bothma

Hi,

I've changed the web.xml to the following:


  HP Admin Security Constraint
  
 Protected Area
 /admin/index.jsp
 /admin/products.jsp
 /admin/groups.jsp
  
  
 admin
  



  FORM
  users
  
/admin/login.jsp
/jsp/error.jsp?code=login
  





  admin


, so as you can see the login.jsp page is not in the secured area any more.
At the moment, I do get directed to the login.jsp but when I try to submit
the form to 'j_security_check' I get the following error from IIS:

HTTP 405 - Resource not allowed.

When I modify uriworkermap.properties to include j_security_check, I get
redirected to a '404' error from Tomcat (based on my  settings
in web.xml). When I consult my MySQL logs I can see that Tomcat does not
even reach the stage where it should try to authenticate using MySQL.

Here is the relevant bit from my localhost_hp_log.txt

Log starts---

2003-02-14 10:15:23 Authenticator[/HP]: Security checking request POST
/HP/admin/j_security_check
2003-02-14 10:15:23 Authenticator[/HP]: Already authenticated ''
2003-02-14 10:15:23 Authenticator[/HP]:  Not subject to any constraint
2003-02-14 10:15:23 StandardContext[/HP]: Mapping contextPath='/HP' with
requestURI='/HP/admin/j_security_check' and
relativeURI='/admin/j_security_check'
2003-02-14 10:15:23 StandardContext[/HP]:  Mapped to servlet 'default' with
servlet path '/admin/j_security_check' and path info 'null' and update=true
2003-02-14 10:15:23 StandardContext[/HP]: Mapping contextPath='/HP' with
requestURI='/HP/jsp/error.jsp' and relativeURI='/jsp/error.jsp'
2003-02-14 10:15:23 StandardContext[/HP]:  Mapped to servlet 'jsp' with
servlet path '/jsp/error.jsp' and path info 'null' and update=true

Log ends---

Also, for some reason when I go to /admin it takes quite a long time (about
5 sec) to redirect me to login.jsp, whereas when I go to /admin on port 8080
it goes much quicker and it add the jsessionid= to the URL (which it
doesn't do with IIS)

Thanks,

Paul

-Original Message-
From: Sean Dockery [mailto:[EMAIL PROTECTED]]
Sent: 14 February 2003 04:08
To: Tomcat Users List
Subject: Re: Tomcat 4.1.12 Form authentication with IIS 5


What happens when you move your form-login-page outside of the /admin/
folder?

Sean Dockery
[EMAIL PROTECTED]
Certified Java Web Component Developer
Certified Delphi Programmer
SBD Consultants
http://www.sbdconsultants.com
- Original Message -
From: "Paul Bothma" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, February 13, 2003 06:11
Subject: Tomcat 4.1.12 Form authentication with IIS 5


> Hi,
>
> I'm using Tomcat 4.1.12 with IIS 5. When I connect directly to
> http://localhost:8080/HP/admin/ the Tomcat FORM authentication works fine,
> but when I try to connect to http://localhost/HP/admin I get the following
> error:
>
> HTTP Status 403 - Access to the requested resource has been denied
>
> --
--
> 
>
> type Status report
>
> message Access to the requested resource has been denied
>
> description Access to the specified resource (Access to the requested
> resource has been denied) has been forbidden.
>
>
> --
--
> 
>
> Apache Tomcat/4.1.12
>
> Here is the relevant extract from my web.xml file:
>
> 
>   HP Administration
>   
>  Protected Area
>  /admin/*
>   
>   
>  HP_admin
>   
> 
>
> 
>   FORM
>   users
>   
> /admin/login.jsp
> /error.html
>   
> 
>
>
> 
> 
>   HP_admin
> 
>
> I'm using the isapi_redirect.dll filter in IIS to redirect any request to
> *.jsp to Tomcat. (Works fine outside of the secure sections)
>
> Any ideas on how to correct this error.
>
> Paul
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat 4.1.12 Form authentication with IIS 5

2003-02-13 Thread Sean Dockery

What happens when you move your form-login-page outside of the /admin/
folder?

Sean Dockery
[EMAIL PROTECTED]
Certified Java Web Component Developer
Certified Delphi Programmer
SBD Consultants
http://www.sbdconsultants.com
- Original Message -
From: "Paul Bothma" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, February 13, 2003 06:11
Subject: Tomcat 4.1.12 Form authentication with IIS 5


> Hi,
>
> I'm using Tomcat 4.1.12 with IIS 5. When I connect directly to
> http://localhost:8080/HP/admin/ the Tomcat FORM authentication works fine,
> but when I try to connect to http://localhost/HP/admin I get the following
> error:
>
> HTTP Status 403 - Access to the requested resource has been denied
>
> --
--
> 
>
> type Status report
>
> message Access to the requested resource has been denied
>
> description Access to the specified resource (Access to the requested
> resource has been denied) has been forbidden.
>
>
> --
--
> 
>
> Apache Tomcat/4.1.12
>
> Here is the relevant extract from my web.xml file:
>
> 
>   HP Administration
>   
>  Protected Area
>  /admin/*
>   
>   
>  HP_admin
>   
> 
>
> 
>   FORM
>   users
>   
> /admin/login.jsp
> /error.html
>   
> 
>
>
> 
> 
>   HP_admin
> 
>
> I'm using the isapi_redirect.dll filter in IIS to redirect any request to
> *.jsp to Tomcat. (Works fine outside of the secure sections)
>
> Any ideas on how to correct this error.
>
> Paul
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

J2EE Form-based Authentication

2003-02-13 Thread Carlos Cajina

Although it may not address the specific requests made on this list, I found an 
article about form-based authentication that could be useful. Here it is: 
http://www.onjava.com/pub/a/onjava/2002/06/12/form.html

Regards.

Carlos

Tomcat 4.1.12 Form authentication with IIS 5

2003-02-13 Thread Paul Bothma

Hi,

I'm using Tomcat 4.1.12 with IIS 5. When I connect directly to
http://localhost:8080/HP/admin/ the Tomcat FORM authentication works fine,
but when I try to connect to http://localhost/HP/admin I get the following
error:

HTTP Status 403 - Access to the requested resource has been denied




type Status report

message Access to the requested resource has been denied

description Access to the specified resource (Access to the requested
resource has been denied) has been forbidden.





Apache Tomcat/4.1.12

Here is the relevant extract from my web.xml file:


  HP Administration
  
 Protected Area
 /admin/*
  
  
 HP_admin
  



  FORM
  users
  
/admin/login.jsp
/error.html
  





  HP_admin


I'm using the isapi_redirect.dll filter in IIS to redirect any request to
*.jsp to Tomcat. (Works fine outside of the secure sections)

Any ideas on how to correct this error.

Paul


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: How to write custom authentication method forTomcat as well asweblogic/orion?

2003-02-12 Thread Soefara Redzuan



From: "Craig R. McClanahan" <[EMAIL PROTECTED]>

> Whilst Tomcat's JDBC Realm's are easy to set up and get working,
> (http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html), I'm
> wondering how easy it might be to write our own authentication mechanism
> using Filters ?

You might want to check out at least one project that has already done
the kind of thing you describe:

  http://securityfilter.sourceforge.net


Oooh, how cool is that ? :)

Thank you Craig.

Soefara.



_
The new MSN 8: advanced junk mail protection and 2 months FREE* 
http://join.msn.com/?page=features/junkmail


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: How to write custom authentication method forTomcat as well asweblogic/orion?

2003-02-12 Thread Craig R. McClanahan



On Wed, 12 Feb 2003, Soefara Redzuan wrote:

> Date: Wed, 12 Feb 2003 14:38:22 +0800
> From: Soefara Redzuan <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: How to write custom authentication method forTomcat as well as
> weblogic/orion?
>
> Whilst Tomcat's JDBC Realm's are easy to set up and get working,
> (http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html), I'm
> wondering how easy it might be to write our own authentication mechanism
> using Filters ?

You might want to check out at least one project that has already done
the kind of thing you describe:

  http://securityfilter.sourceforge.net

Craig

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Client authentication optional

2003-02-12 Thread Tomcat User

Very thanks for your help. The patch does work fine but I would like to 
have optional client authentication for obtaining security constraints (the 
CLIENT-CERT authentication method). How I can optional client 
authentication for directories/servlets??

In JSSESocketFactory I change .setNeedClientAuth(clientAuth); to:

 String clientAuthOptStr=(String)attributes.get("clientauthopt");
  if(clientAuthOptStr != null) {
   if(clientAuthOptStr.equals("true")) {
.setWantClientAuth(clientAuth);
   } else if(clientAuthOptStr.equals("false")) {
 .setNeedClientAuth(clientAuth);
   } else {
throw new IOException("Invalid value '" +
 clientAuthOpt +
 "' for 'clientauth' parameter:");
   } }

I have introduced clientAuthOptional = "true/false" in server.xml but this 
patch doesn't work.

Regards.

At 09:04 12/02/2003 +0100, you wrote:
i had the same problem and the only solution is to path the existing
org.apache.tomcat.util.net.jsse.JSSESocketFactory
ther you have to change
.setNeedClientAuth(clientAuth);
to
.setWantClientAuth(clientAuth);

if you want i can send you the patched file .class or the completet .jar 
to your private adress.

i would like to have a setting in the server.xml:
clientAuthOptional = true/false
that would be nice!

Tomcat User wrote:
Hi all.

I work with secure applications (Tomcat 4.1.18 with SSL + client 
authentication using certificates) and I would like to have client 
authentication optional because in server.xml file the client 
authentication is obligatory or not (clientAuth = true or false).

How I can resolve my problem??

Very thanks and regards.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Client authentication optional

2003-02-12 Thread joe

i had the same problem and the only solution is to path the existing
org.apache.tomcat.util.net.jsse.JSSESocketFactory
ther you have to change
.setNeedClientAuth(clientAuth);
to
.setWantClientAuth(clientAuth);

if you want i can send you the patched file .class or the completet .jar 
to your private adress.

i would like to have a setting in the server.xml:
clientAuthOptional = true/false
that would be nice!

Tomcat User wrote:

Hi all.

I work with secure applications (Tomcat 4.1.18 with SSL + client 
authentication using certificates) and I would like to have client 
authentication optional because in server.xml file the client 
authentication is obligatory or not (clientAuth = true or false).

How I can resolve my problem??

Very thanks and regards.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

How to write custom authentication method forTomcat as well as weblogic/orion?

2003-02-11 Thread Soefara Redzuan

Whilst Tomcat's JDBC Realm's are easy to set up and get working, 
(http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html), I'm 
wondering how easy it might be to write our own authentication mechanism 
using Filters ?  There are a few reasons for this,
1) We'd like a security mechanism which has "Groups" as well as users and 
roles, with roles attached to groups (as well as users).
2) The current JDBC Realm is logging off users (sometimes within a minute of 
them logging-in).
3) We'd like a security mechanism that will work with Weblogic and Websphere 
as well as Tomcat, with little (or no) change.
4) We would like the passwords encrypted in the database.

Having thought about this for a while, it seems that I could easily write 
one as follows,
- create a AuthenticatedUser javabean
- write a Filter that checks whether an AuthenticatedUser object exists in 
the session.  If it does, the user is authenticated. If not, the Filter 
redirects to a log-in page instead. Also remember the originally requested 
URL.
- create a login page and an associated FormHandler which simply 
authenticates against the database and creates an AuthenticatedUser object 
in the session, then redirects to the originally requested URL.

Is that it or have I overlooked something?  It seems a bit too simple.

Thank you very much in advance.

Soefara Redzuan.

_
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Client authentication optional

2003-02-11 Thread Tomcat User

Hi all.

I work with secure applications (Tomcat 4.1.18 with SSL + client 
authentication using certificates) and I would like to have client 
authentication optional because in server.xml file the client 
authentication is obligatory or not (clientAuth = true or false).

How I can resolve my problem??

Very thanks and regards.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: CLIENT-CERT authentication method

2003-02-11 Thread Bill Barker


"Manuel Gil Perez" <[EMAIL PROTECTED]> wrote in message
5.2.0.9.0.20030210123926.00ba8310@localhost">news:5.2.0.9.0.20030210123926.00ba8310@localhost...
> Hi all.
>
> Currently (in Tomcat 4.1.18), is CLIENT-CERT authentication method defined
> within Realm??

Yes.

>
> Regards.
>
> --
>
> 
>  CLIENT-CERT
>  OnJava Application
> 




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

CLIENT-CERT authentication method

2003-02-10 Thread Manuel Gil Perez

Hi all.

Currently (in Tomcat 4.1.18), is CLIENT-CERT authentication method defined 
within Realm??

Regards.

--


CLIENT-CERT
OnJava Application



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: DataSourceRealm, Exception performing authentication ?

2003-02-10 Thread Uros Kotnik

I found bug on bugzila,


http://www.mail-archive.com/tomcat-dev@jakarta.apache.org/msg40185.html
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16316



-Original Message-
From: news [mailto:[EMAIL PROTECTED]] On Behalf Of Sean Dockery
Sent: Saturday, February 08, 2003 20:12 
To: [EMAIL PROTECTED]
Subject: Re: DataSourceRealm, Exception performing authentication ?

Did you declare the Realm after your Resource or before it?


--
Sean Dockery
[EMAIL PROTECTED]
Certified Java Web Component Developer
Certified Delphi Programmer
SBD Consultants
http://www.sbdconsultants.com

"Uros Kotnik" <[EMAIL PROTECTED]> wrote in message
017501c2cf7f$9684b170$[EMAIL PROTECTED]">news:017501c2cf7f$9684b170$[EMAIL PROTECTED]...
> Here is the problem,
>
> I defined DataSource in Server.xml in Context for my app like this :
>
>  type="javax.sql.DataSource"/>
> 
> 
>
> and that connection is working OK from my test servlet like this :
>
>   Context initCtx = new InitialContext();
>   Context envCtx = (Context) initCtx.lookup("java:comp/env");
>   DataSource ds = (DataSource)envCtx.lookup("jdbc/TestDB");
>
> But when I define DataSourceRealm in Context for my app.
>
> 
> dataSourceName="jdbc/TestDB"
> userTable="ic_users" userNameCol="login_name" userCredCol="password"
> userRoleTable="ic_groups" roleNameCol="group_name"/>
>
> I tried diverse combinations of DS name like :
> "java:comp/env/jdbc/TestDB"
>
> But I always get an exception from
> org.apache.catalina.realm.DataSourceRealm :
>
> 2003-02-08 15:35:06 DataSourceRealm[/testapp]: Exception performing
> authentication
> javax.naming.NameNotFoundException: Name jdbc is not bound in this
> Context
> at
> org.apache.naming.NamingContext.lookup(NamingContext.java:811)
> at
> org.apache.naming.NamingContext.lookup(NamingContext.java:194)
> at
>
org.apache.catalina.realm.DataSourceRealm.open(DataSourceRealm.java:463)
> at
>
org.apache.catalina.realm.DataSourceRealm.authenticate(DataSourceRealm.j
> ava:315)
> at
>
org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAut
> henticator.java:263)
> .
> .
>
> What could be the problem ?
>
> Thanx.
>
>




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: DataSourceRealm, Exception performing authentication ?

2003-02-08 Thread Sean Dockery

Did you declare the Realm after your Resource or before it?


--
Sean Dockery
[EMAIL PROTECTED]
Certified Java Web Component Developer
Certified Delphi Programmer
SBD Consultants
http://www.sbdconsultants.com

"Uros Kotnik" <[EMAIL PROTECTED]> wrote in message
017501c2cf7f$9684b170$[EMAIL PROTECTED]">news:017501c2cf7f$9684b170$[EMAIL PROTECTED]...
> Here is the problem,
>
> I defined DataSource in Server.xml in Context for my app like this :
>
>  type="javax.sql.DataSource"/>
> 
> 
>
> and that connection is working OK from my test servlet like this :
>
>   Context initCtx = new InitialContext();
>   Context envCtx = (Context) initCtx.lookup("java:comp/env");
>   DataSource ds = (DataSource)envCtx.lookup("jdbc/TestDB");
>
> But when I define DataSourceRealm in Context for my app.
>
> 
> dataSourceName="jdbc/TestDB"
> userTable="ic_users" userNameCol="login_name" userCredCol="password"
> userRoleTable="ic_groups" roleNameCol="group_name"/>
>
> I tried diverse combinations of DS name like :
> "java:comp/env/jdbc/TestDB"
>
> But I always get an exception from
> org.apache.catalina.realm.DataSourceRealm :
>
> 2003-02-08 15:35:06 DataSourceRealm[/testapp]: Exception performing
> authentication
> javax.naming.NameNotFoundException: Name jdbc is not bound in this
> Context
> at
> org.apache.naming.NamingContext.lookup(NamingContext.java:811)
> at
> org.apache.naming.NamingContext.lookup(NamingContext.java:194)
> at
> org.apache.catalina.realm.DataSourceRealm.open(DataSourceRealm.java:463)
> at
> org.apache.catalina.realm.DataSourceRealm.authenticate(DataSourceRealm.j
> ava:315)
> at
> org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAut
> henticator.java:263)
> .
> .
>
> What could be the problem ?
>
> Thanx.
>
>




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DataSourceRealm, Exception performing authentication ?

2003-02-08 Thread Uros Kotnik

Here is the problem,

I defined DataSource in Server.xml in Context for my app like this :





and that connection is working OK from my test servlet like this :

  Context initCtx = new InitialContext();
  Context envCtx = (Context) initCtx.lookup("java:comp/env");
  DataSource ds = (DataSource)envCtx.lookup("jdbc/TestDB");

But when I define DataSourceRealm in Context for my app.



I tried diverse combinations of DS name like :
"java:comp/env/jdbc/TestDB"

But I always get an exception from
org.apache.catalina.realm.DataSourceRealm :

2003-02-08 15:35:06 DataSourceRealm[/testapp]: Exception performing
authentication
javax.naming.NameNotFoundException: Name jdbc is not bound in this
Context
at
org.apache.naming.NamingContext.lookup(NamingContext.java:811)
at
org.apache.naming.NamingContext.lookup(NamingContext.java:194)
at
org.apache.catalina.realm.DataSourceRealm.open(DataSourceRealm.java:463)
at
org.apache.catalina.realm.DataSourceRealm.authenticate(DataSourceRealm.j
ava:315)
at
org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAut
henticator.java:263)
.
.

What could be the problem ?

Thanx.




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: JDBC Realm Authentication Problem

2003-02-07 Thread Sean Dockery

Yes, that is correct.  To have a Realm apply only to a context, it must
declared inside the context tags.  So...



becomes


  



--
Sean Dockery
[EMAIL PROTECTED]
Certified Java Web Component Developer
Certified Delphi Programmer
SBD Consultants
http://www.sbdconsultants.com

"Geoff Peters" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Sean - I didn't omit anything in my post - the serverl.xml is as it is in my
app. I think you might have inadvertently answered my question, does my
context level realm physically have to reside inside the context tag? (do I
have to put a  on after the realm)? I manager to get everything
working, it is authenticating the manager app against the database fine now,
and the lower level authentication works as well, I am not sure which realm
is being used where, I am going to create a new database and see that it is
working right.


Thanks for the reply!!

Geoff


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: JDBC Realm Authentication Problem

2003-02-07 Thread Geoff Peters

Sean - I didn't omit anything in my post - the serverl.xml is as it is in my app. I 
think you might have inadvertently answered my question, does my context level realm 
physically have to reside inside the context tag? (do I have to put a  on 
after the realm)? I manager to get everything working, it is authenticating the 
manager app against the database fine now, and the lower level authentication works as 
well, I am not sure which realm is being used where, I am going to create a new 
database and see that it is working right.


Thanks for the reply!!

Geoff

-Original Message-
From: Sean Dockery [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 06, 2003 8:34 PM
To: Tomcat Users List
Subject: Re: JDBC Realm Authentication Problem


Where I wrote "did you remove," I meant to write "did you omit."  Basically 
I want to know exactly what you edited out of the server.xml file that you 
put in your message because you didn't think it was relevant.

Basically, I suspect that if you left the memory realm at the engine level 
that authentication is failing against the memory realm (so it doesn't 
bother checking your JDBC realm at the engine level).

At 17:27 2003-02-06 -0700, you wrote:
>Um.  I don't see a context-level realm in there.  There is a host-level 
>realm, however.  :-)
>
>Did you remove anything at all (such as other Realms) from the server.xml 
>file that you presented?
>
>At 13:29 2003-02-06 -0400, you wrote:
>>A small problem here, can't seem to figure out why.
>>
>>In the following server.xml, if I remove the context level realm, the 
>>authentication fails against the database (I can connect on startup, but 
>>I cannot authenticate to access the manager or admin applications). 
>>However, if I put the context level JDBC realm back in (exactly the same 
>>as the top level realm)
>>
>>Removing the top level realm makes no difference on startup or 
>>authentication. Shouldn't I be able to authenticate for the manager and 
>>admin outside of a contect level database?
>>
>>
>>Thanks!!
>>
>>Geoff
>>
>>
>>SERVER.XML:
>>
>>
>>
>>   
>>
>>
>>
>> > port="80" minProcessors="5" maxProcessors="75"
>>enableLookups="true" redirectPort="8443"
>>acceptCount="100" debug="0" connectionTimeout="2"
>>useURIValidationHack="false" disableUploadTimeout="true" />
>>
>>
>> 
>>
>>
>>   >   prefix="catalina_log." suffix=".txt"
>>   timestamp="true"/>
>>
>>
>>  >   driverName="org.gjt.mm.mysql.Driver"
>>connectionURL="jdbc:mysql://somewhere.com/MailAdmn"
>>   connectionName="user" connectionPassword="password"
>> userTable="tblUsers" userNameCol="user_name" 
>> userCredCol="user_pass"
>>   userRoleTable="tblUser_Role" roleNameCol="role_name" digest = 
>> "md5"/>
>>
>>
>>   > autoDeploy="true">
>>
>>
>>>  directory="logs"  prefix="gpeters_access_log." 
>> suffix=".txt"
>>  pattern="common" resolveHosts="false"/>
>>
>> >  directory="logs"  prefix="gpeters_log." suffix=".txt"
>> timestamp="true"/>
>>
>>   
>>
>>
>> >   reloadable="true" crossContext="true" />
>>
>> > debug="99"
>> driverName="org.gjt.mm.mysql.Driver"
>> connectionURL="jdbc:mysql://somewhere.com/MailAdmn"
>> connectionName="user" 
>> connectionPassword="password"  userTable="tblUsers" 
>> userNameCol="user_name"   userCredCol="user_pass"
>> userRoleTable="tblUser_Role" 
>> roleNameCol="role_name" digest = "md5"/>
>>
>>
>> >   prefix="tomcat_MailApp_log." suffix=".txt" 
>> timestamp="true" />
>>
>>
>>   
>>
>>

CLIENT-CERT for client authentication (with MemoryRealm)

2003-02-07 Thread Manuel Gil Perez

Hi all.

Currently, I have a secure web application with Apache + mod_ssl and it 
does work fine. I would like change to Tomcat with security constraints for 
directories (with client authentication). For this, I would like to protect 
a resource with a MemoryRealm. I'm following these steps:
1. Open /conf/server.xml and uncomment the following line:
 
2. Open /webapps/demo/WEB-INF/web.xml to add the following security 
constraint:
 

   OnJava
   /dirDemo/*


   tomcat

  
  
 CLIENT-CERT
 OnJava
  

3. In /conf/tomcat-users-xml I have the following user:
 
The username is the same that the certificate's distinguished name.
Stop and restart the Tomcat server. When I open the URL: 
https://localhost:8443 I obtain the error: HTTP Status 403 - Cannot 
authenticate with the provided credentials

Can somebody help me in my error??

Thanks for advance and regards.

--

Tomcat: version 4.1.18 with SSL
SO: Red Hat 7.3



--
  Manuel Gil Pérez - Proyecto m-PISCIS
  DIIC - Dpto. Ingeniería de la Información y las Comunicaciones
  Facultad de Informática - Universidad de Murcia (Spain)
  Tfo: +34 968228258

  ANTS Research Group - http://ants.dif.um.es

< 5 6 7 8 9 10 11 12 13 14 >

901 - 1000 of 1842 matches

Mail list logo