Re: JDBCRealm CLIENT-CERT Authentication

Fri, 14 Mar 2003 10:36:53 -0800

Hi,

i tried the following:
+ Add the mehtod authenticate(...) to the File JDBCRealm.java
+ build a Tomcat distribution
+ replace the catalina.jar with the new version (on an other machine)
+ add <role-name>full DN</role-name> to the web.xml
+ insert into table users ('DN','DN')
+ insert into table user_roles ('DN','DN')

Then i try to connect with a browser to the protected ressource and the browser requests login and password.

Any suggestions?

thanks

Patrick



jazorin wrote:
Hi.

You can to implement a JDBCRealm with client certificates modifying the org.apache.catalina.realm.JDBCRealm class. You need add the public Principal authenticate(X509Certificate[] cert) method. Inside, you have to include the following lines:

import java.security.cert.X509Certificate;

Connection dbConnection = null;

try {

            // Obtain DN from client certificate.
            String dn = cert[0].getSubjectDN().getName();

            // Ensure that we have an open database connection
            dbConnection = open();

            // Acquire a Principal object for this user
            Principal principal = authenticate(dbConnection,
                                               dn, dn);

            // Release the database connection we just used
            release(dbConnection);

            // Return the Principal (if any)
            return (principal);

} catch (SQLException e) {

            // Log the problem for posterity
            log(sm.getString("jdbcRealm.exception"), e);

            // Close the connection so that it gets reopened next time
            if (dbConnection != null)
                close(dbConnection);

            // Return "not authenticated" for this request
            return (null);

}

In authenticate(dbConnection,dn,dn); -> first dn = name of user (login) and second dn = credentials. These credentials can to be the OU of the certificate, etc.

With the previous example you have to put in <role-name> of web.xml the full DN, and you need to create a user in BD with username = DN full and credentials = DN full.

Luck!!

-------------------------------------
At 16:44 13/03/2003 +0100, you wrote:
Hello,

is it correct that only Memory- and JNDIRealm can perform the mapping
between the DN included in a certificate and a users role?

Because of the lack of dynamic changes in MemoryRealm, i want to replace
it with a JDBCRealm. Is there any information available how to implement
  a JDBCRealm that authenticates users by CLIENT-CERT.

thanks in advance

Patrick



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to