Hi there, I'm having a problem with Tomcat 6.0.20 when attempting to configure CombinedRealm authentication. I'm running on a Centos 5 machine.
Scenario: I want to set up certificate auth with form fallback using the class provided here http://wiki.apache.org/tomcat/SSLWithFORMFallback6 Certificate DNs are stored in the users table of a mysql database, along with user login names and passwords to be used if the form fallback is required. (note, this is not really relevant to the problem! I just want to make sure you understand the setup I'm trying to implement, at the moment for testing purposes I have not configured the SSLWithFORMFallback Valve, I'm just using plain old CLIENT-CERT as my auth-method). Thus I need to have two realms, one which uses the DN as the username and the other which uses the standard login username, because nobody is going to log in using their certificate DN as their user name. Config: server.xml contains the following <Realm className="org.apache.catalina.realm.CombinedRealm" > <Realm className="org.apache.catalina.realm.DataSourceRealm" dataSourceName="elgriddb" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name" localDataSource="true"/> <Realm className="org.apache.catalina.realm.DataSourceRealm" dataSourceName="elgriddb" userTable="users" userNameCol="user_dn" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name" localDataSource="true"/> </Realm> While webapps/elgrid/META-INF/context.xml is quoted in full below <?xml version='1.0' encoding='utf-8'?> <Context> <Resource name="elgriddb" auth="Container" type="javax.sql.DataSource" maxActive="100" maxIdle="30" maxWait="10000" username="elgrid" password="elgrid" driverClassName="com.mysql.jdbc.Driver" url="jdbc:mysql://localhost:3306/elgrid?autoReconnect=true"/> </Context> Problem: I have turned on mysql debug logging in order to see if requests are hitting the database and I can see that when I authenticate with my certificate the first Realm is being used, and I see the following queries hit the DB: SELECT user_pass FROM users WHERE user_name = 'CN=Kathryn Cassidy, L=Something, OU=blah blah, etc.' SELECT role_name FROM user_roles WHERE user_name = 'CN=Kathryn Cassidy, L=Something, OU=blah blah, etc.' but authentication fails because it is looking for the DN in the user_name column. I think expected behavior should be that it then tries the second Realm which uses the user_dn field as userNameCol and this time it should succeed. However, I never see the second set of auth queries reach the database and I am denied access. If I put the second Realm definition first in the list then I can successfully authenticate, so there is nothing wrong with the definition itself, it appears that it is simply not attempting to authenticate with the second realm. I tried using JDBCRealm instead of DataSourceRealm and the effect was the same. However, things did seem to work when I put MemoryRealm first in the list of Realms, followed by either a JDBCRealm or DataSourceRealm. I was able to authenticate off the MemoryRealm, or if it failed to authenticate I could still authenticate off the second realm. It just doesn't seem to work with the other Realm types. According to the documentation it is supposed to work with two Realms of the same type (and I tried one JDBC and one DataSource realm anyway, just to be sure, same result). I'm running out of ideas. Has anyone seen this sort of problem before? Thanks, Kathryn. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
