I have configured the files as you said in the e-mail, but when I start
Tomcat I get the following error in "catalina.out" file:
Exception creating UserDatabase MBeans for UserDatabase
javax.management.MalformedObjectNameException: Invalid character '=' in
value part of property
And it is because of the following property value in the "tomcat-users.xml"
file:
username="CN=Mark Thomas, OU=WWW, O=XXX, L=YYY, ST=ZZZ, C=GB"
It seems tomcat does not like the ´=' character inside a property value.
I have also tried writing:
username="CN\=Mark Thomas, OU\=WWW, O\=XXX, L\=YYY, ST\=ZZZ, C\=GB"
But I still get the same error.
Don´t you get the same error message? How can I avoid this?
Thanks in advance and regards,
Idoia
"Mark Thomas"
<[EMAIL PROTECTED] Para: "'Tomcat Users List'"
<[EMAIL PROTECTED]>
> cc:
Asunto: RE: tomcat certificate
18/03/04 20:46
Por favor,
responda a
"Tomcat Users
List"
The important files are:
server.xml:
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="100" debug="0" scheme="https" secure="true"
useURIValidationHack="false" disableUploadTimeout="true">
<Factory className
="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
keystoreFile="conf/.keystore"
clientAuth="false" protocol="TLS" />
</Connector>
...
<Realm className="org.apache.catalina.realm.MemoryRealm" />
tomcat-users.xml:
<user username="CN=Mark Thomas, OU=WWW, O=XXX, L=YYY, ST=ZZZ, C=GB"
password="null" roles="tomcat,certs"/>
web.xml:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd";>
<web-app>
<display-name>Bug 12218</display-name>
<description>
Test web app for bug 12218.
</description>
<security-constraint>
<web-resource-collection>
<web-resource-name>App</web-resource-name>
<url-pattern>/protected.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<role-name>tomcat</role-name>
</security-role>
</web-app>
The steps I tend to follow when setting this sort of thing up are:
1. Build simple two page web app.
2. Configure one page to require basic authentication
3. Test basic auth - checks tomcat-users.xml and realm set up correctly
4. Configure SSL
5. Test http://localhost:8443/ - checks SSL set up
6. Test app with SSL - not really necessary but best to double check
7. Reconfigure app to use CLIENT-CERT
> -----Original Message-----
> From: Idoia Murua Belacortu [mailto:[EMAIL PROTECTED]
> Sent: Thursday, March 18, 2004 8:01 AM
> To: Tomcat Users List
> Subject: RE: tomcat certificate
>
>
> Could you send us a sample of that "web.xml" file?
> I am also using client certificates over SSL with Tomcat,
> but as I could
> not find much information about it in Tomcat I configured it
> with Apache.
>
> Idoia
>
>
>
>
>
> "Mark Thomas"
>
>
> <[EMAIL PROTECTED] Para:
> "'Tomcat Users List'" <[EMAIL PROTECTED]>
>
> > cc:
>
>
> Asunto: RE:
> tomcat certificate
>
> 17/03/04 21:22
>
>
> Por favor,
>
>
> responda a
>
>
> "Tomcat Users
>
>
> List"
>
>
>
>
>
>
>
>
>
>
>
> This is not correct. Tomcat does support CLIENT-CERT authentication
> 'out-of-the-box'. When combined with appropriate
> authorisation constraints
> in
> web.xml you can limit access to specific URLs.
>
> I have this working quite happily.
>
> Mark
>
> > -----Original Message-----
> > From: Rommel Sharma [mailto:[EMAIL PROTECTED]
> > Sent: Monday, February 23, 2004 11:28 AM
> > To: Tomcat Users List
> > Subject: Re: tomcat certificate
> >
> > Tomcat as such on its own does not parse and validate a certificate.
> > I don't think its possible. You can identify a client through the
> > certificate alias the client uses.
> > Access to specific URLs depends on the server certificate
> > where you specify
> > the URL and send the client your public key.
> > I think there is no automatic mechanism in Tomcat that studies the
> > certificate and allows access to specific URLs. This needs to
> > be implemented
> > by any our deployed programs.
> >
> > ----- Original Message -----
> > From: "secam secam" <[EMAIL PROTECTED]>
> > To: "Tomcat Users List" <[EMAIL PROTECTED]>
> > Sent: Monday, February 23, 2004 4:17 PM
> > Subject: Re: tomcat certificate
> >
> > > Thanks,
> > >
> > > Here is my real problem,
> > >
> > > I've got an external server that authentificate user and deliver a
> > certicate with the trio User/Group/Role.
> > >
> > > In fact, i just want that the certificate give information
> > of the user to
> > tomcat in order to permit the access to some specifics url.
> > >
> > > Is it possible?
> > >
> > > Regard's
> > >
> > > Secam
> > >
> > > Rommel Sharma <[EMAIL PROTECTED]> wrote:
> > > If you mean two way authentication using SSL, then you have
> > to write the
> > > code that reads clients certificate and matches it with one
> > present in
> > > client keystore on the server. You enable client authentication in
> > > server.xml for this and specify the serverkeystore and
> > password in it.
> > > Regards,
> > > Rommel Sharma.
> > >
> > > ----- Original Message -----
> > > From: "secam secam"
> > > To:
> > > Sent: Monday, February 23, 2004 3:30 PM
> > > Subject: tomcat certificate
> > >
> > > > hello,
> > > >
> > > > I'm a new user of tomcat.
> > > > Can tomcat authenticate a user with a certifcate ?
> > > >
> > > > Thanks,
> > > > Secam
> > > >
> > > >
> > > > ---------------------------------
> > > > Yahoo! Mail : votre e-mail personnel et gratuit qui vous
> > suit partout !
> > > > Créez votre Yahoo! Mail
> > >
> > > *********************************************************
> > > Disclaimer
> > >
> > > This message (including any attachments) contains
> > > confidential information intended for a specific
> > > individual and purpose, and is protected by law.
> > > If you are not the intended recipient, you should
> > > delete this message and are hereby notified that
> > > any disclosure, copying, or distribution of this
> > > message, or the taking of any action based on it,
> > > is strictly prohibited.
> > >
> > > *********************************************************
> > > Visit us at http://www.mahindrabt.com
> > >
> > >
> > >
> > >
> > >
> >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail:
> [EMAIL PROTECTED]
> > >
> > >
> > > ---------------------------------
> > > Yahoo! Mail : votre e-mail personnel et gratuit qui vous
> > suit partout !
> > > Créez votre Yahoo! Mail
> >
> > *********************************************************
> > Disclaimer
> >
> > This message (including any attachments) contains
> > confidential information intended for a specific
> > individual and purpose, and is protected by law.
> > If you are not the intended recipient, you should
> > delete this message and are hereby notified that
> > any disclosure, copying, or distribution of this
> > message, or the taking of any action based on it,
> > is strictly prohibited.
> >
> > *********************************************************
> > Visit us at http://www.mahindrabt.com
> >
> >
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
> Idoia Murua Belacortu
> Dpto. de Sistemas de Información y Telecomunicaciones
> Information Systems & Telecommunications Dept.
> ROBOTIKER, Corporación Tecnológica TECNALIA.
> Parque Tecnológico, Edificio 202. E-48170 Zamudio (Bizkaia) (SPAIN).
> Tel: (34) 94 600 22 66. Fax: (34) 94 600 22 99
> [EMAIL PROTECTED], www.robotiker.com
>
> "Este correo electrónico contiene información privada
> que puede estar
> legalmente protegida, parcial o totalmente. Es sólo
> para uso del
> destinatario al que está dirigido. Si ha recibido este
> mensaje por error,
> le rogamos que lo notifique al remitente del email y que
> además borre de su
> sistema el mensaje así como todas sus copias,
> incluyendo las posibles
> copias del mismo en su disco duro, y se abstenga de
> usar, revelar,
> distribuir a terceros, imprimir o copiar ninguna de las
> partes de este
> mensaje".
> "Mezu elektroniko honek informazio pribatua du, partzialki
> edo osorik legez
> babestuta egon daitekeena. Bidali nahi zaion
> hartzaileak erabiltzeko
> bakarrik da. Mezu hau hutsegite baten ondorioz jaso
> baduzu, mesedez,
> mezuaren igorleari jakinaraztea eta mezua eta horren
> kopia guztiak
> ezabatzea eskatzen dizugu, disko gogorrean izan
> ditzakezunak barne. Eta,
> orobat, ez erabili mezu honen zatirik, ez eta erakutsi,
> beste pertsona
> batzuei banatu, inprimatu edo berridatzi ere".
> "This e-mail contains proprietary information some or all
> of which may be
> legally protected. It is for sole use of the intended
> recipient only. If
> you have received this message by mistake, you are requested
> to notify the
> e-mail sender and erase both the message and any copies
> from your system,
> including hard disk copies. You are further requested
> to refrain from
> using, distributing to third parties, printing or making
> copies of any
> parts of this message".
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Idoia Murua Belacortu
Dpto. de Sistemas de Información y Telecomunicaciones
Information Systems & Telecommunications Dept.
ROBOTIKER, Corporación Tecnológica TECNALIA.
Parque Tecnológico, Edificio 202. E-48170 Zamudio (Bizkaia) (SPAIN).
Tel: (34) 94 600 22 66. Fax: (34) 94 600 22 99
[EMAIL PROTECTED], www.robotiker.com
"Este correo electrónico contiene información privada que puede estar
legalmente protegida, parcial o totalmente. Es sólo para uso del
destinatario al que está dirigido. Si ha recibido este mensaje por error,
le rogamos que lo notifique al remitente del email y que además borre de su
sistema el mensaje así como todas sus copias, incluyendo las posibles
copias del mismo en su disco duro, y se abstenga de usar, revelar,
distribuir a terceros, imprimir o copiar ninguna de las partes de este
mensaje".
"Mezu elektroniko honek informazio pribatua du, partzialki edo osorik legez
babestuta egon daitekeena. Bidali nahi zaion hartzaileak erabiltzeko
bakarrik da. Mezu hau hutsegite baten ondorioz jaso baduzu, mesedez,
mezuaren igorleari jakinaraztea eta mezua eta horren kopia guztiak
ezabatzea eskatzen dizugu, disko gogorrean izan ditzakezunak barne. Eta,
orobat, ez erabili mezu honen zatirik, ez eta erakutsi, beste pertsona
batzuei banatu, inprimatu edo berridatzi ere".
"This e-mail contains proprietary information some or all of which may be
legally protected. It is for sole use of the intended recipient only. If
you have received this message by mistake, you are requested to notify the
e-mail sender and erase both the message and any copies from your system,
including hard disk copies. You are further requested to refrain from
using, distributing to third parties, printing or making copies of any
parts of this message".
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
