Hello there.
I've tried to configure a security realm for pages; that if a user certificate is
present it will be used, but if it doesn't exist the application will resolve the
situation with the user authentication level already known.
After wrestling with the web.xml parameters and defining a user realm; I have found
that Tomcat ( 4.1.27 ) returns a BAD REQUEST; and control is never ever given to the
user realm defined. So, I turned into the source code.
In org.apache.catalina.authenticator.SSLAuthenticator.authenticate(), I've found this :
.
.
.
if ((certs == null) || (certs.length < 1)) {
certs = (X509Certificate[])
request.getRequest().getAttribute(Globals.SSL_CERTIFICATE_ATTR);
}
if ((certs == null) || (certs.length < 1)) {
if (debug >= 1)
log(" No certificates included with this request");
hres.sendError(HttpServletResponse.SC_BAD_REQUEST,
sm.getString("authenticator.certificates"));
return (false);
}
// Authenticate the specified certificate chain
principal = context.getRealm().authenticate(certs);
if (principal == null) {
if (debug >= 1)
log(" Realm.authenticate() returned false");
hres.sendError(HttpServletResponse.SC_UNAUTHORIZED,
sm.getString("authenticator.unauthorized"));
return (false);
.
.
.
So, this is the reason. If there is no client certificates, there is no chance for a
user realm to take control. I commented out the certs == null if; and then everything
worked fine. Even if the authenticator realm were the memory one, it returns a null
that is catched by the last if.
There is another way that I havenīt seen to perform this same task ? One without
touching the catalina.jar ?
This is a feature that is needed at the site I am programming to.
Thanks for your attention.
Alessio Lira
