That's what I thought. I'm not using Tomcat with Apache/IIS/SunONE, but
rather standalone.
You mentioned that I need to be using the MemoryRealm. I looked in my
server.xml file and found the following lines .. which would seem to
indicate that the UserDatabaseRealm is being used instead of the MemoryRealm
..
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" debug="99"
resourceName="UserDatabase" validate="true"/>
Should this be changed to look like the following?
<Realm className="org.apache.catalina.realm.MemoryRealm" debug="99"
resourceName="UserDatabase" validate="true"/>
One other question.. In the web.xml file, there is a <login-config> element
that may contain an optional <realm-name>. Must I specify the <realm-name>
in my <login-config> and if so, what name do I use? Should it be whatever
appears in the resourceName attribute of the <Realm> element in the
server.xml file?
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name></realm-name>
</login-config>
Thanks,
Pat
-----Original Message-----
From: Bill Barker [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 23, 2003 11:08 PM
To: [EMAIL PROTECTED]
Subject: Re: HELP! Client Authentication in Tomcat 4.1.24
Bug #15790 is only if you are fronting Tomcat with Apache/IIS/SunONE. If
you are using the stand-alone connector, it doesn't apply. I'm guessing
that this isn't your problem, since you'd get a different error.
To use this setup, you need to be using MemoryRealm. The default
DataSourceRealm doesn't handle CLIENT-CERT authentication. When I'm testing
this, I usually get rid of the '<Resource name="UserDatabase" ...>', since
it has a bad habit of messing up cert subjects when it re-saves the file
:-).
With 4.1.26, if you enable TRACE logging, it will print the cert out to the
log (I use this to cut-and-paste the Subject to tomcat-users.xml). If you
have log4j in common/lib, then add:
log4j.logger.org.apache.tomcat.util.net.jsse=TRACE
to your log4j.properties.
"Farrell, Patrick" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
..
> Thanks,
>
> I had seen the bug you are referring to, but didn't think that this was my
> problem since I don't see that exception anywhere. Is there anywhere that
I
> may look to find that exception just to ensure that this is truely my
> problem?
>
> Pat
>
> -----Original Message-----
> From: Jay Garala [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, July 23, 2003 1:44 PM
> To: 'Tomcat Users List'
> Subject: RE: HELP! Client Authentication in Tomcat 4.1.24
>
>
> This is the part you were missing. Unfortunately, the handling of Client
> certs in the Jk-Coyote connector is broken in 4.1.24 (see
> http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15790).
>
> Wait for 4.1.26 or grab alpha from CVS
>
> -----Original Message-----
> From: Farrell, Patrick [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, July 23, 2003 1:02 PM
> To: '[EMAIL PROTECTED]'
> Subject: HELP! Client Authentication in Tomcat 4.1.24
>
>
> I am attempting to use client certificate authentication with Tomcat
4.1.24,
> but each time I connect via a browser (Internet Explorer) Tomcat indicates
> that it is unable to authenticate with the provided credentials.
>
> My client certificate is a personal certificate from Thawte. The
> corresponding root certificate already exists in my truststore.
>
> Shown below is my tomcat-users.xml file.
>
> <?xml version='1.0' encoding='utf-8'?>
> <tomcat-users>
> <role rolename="user" description="Authenticated User"/>
> <role rolename="manager" description="Tomcat Manager"/>
> <role rolename="admin" description="Tomcat Administrator"/>
> <user username="administrator" password="password"
roles="admin,manager"/>
> <user username="[EMAIL PROTECTED], CN=Thawte Freemail
> Member" password="null" roles="user"/>
> </tomcat-users>
>
> Must I do anything with the client certificate in order for the server to
> trust it, or does the server simply grab the DN from the certificate and
> look in the realm for a user with the corresponding DN?
>
> Does anyone have any information or links on how to configure tomcat users
> with client authentication?
>
> Pat
>
> ***********************************************************************
> This message is intended only for the use of the intended recipient and
> may contain information that is PRIVILEGED and/or CONFIDENTIAL. If you
> are not the intended recipient, you are hereby notified that any use,
> dissemination, disclosure or copying of this communication is strictly
> prohibited. If you have received this communication in error, please
> destroy all copies of this message and its attachments and notify us
> immediately.
> ***********************************************************************
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
> ***********************************************************************
> This message is intended only for the use of the intended recipient and
> may contain information that is PRIVILEGED and/or CONFIDENTIAL. If you
> are not the intended recipient, you are hereby notified that any use,
> dissemination, disclosure or copying of this communication is strictly
> prohibited. If you have received this communication in error, please
> destroy all copies of this message and its attachments and notify us
> immediately.
> ***********************************************************************
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
***********************************************************************
This message is intended only for the use of the intended recipient and
may contain information that is PRIVILEGED and/or CONFIDENTIAL. If you
are not the intended recipient, you are hereby notified that any use,
dissemination, disclosure or copying of this communication is strictly
prohibited. If you have received this communication in error, please
destroy all copies of this message and its attachments and notify us
immediately.
***********************************************************************
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
