-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Andrew,
On 12/1/14 2:33 PM, Andrew Gronosky wrote: > Hello, > > I am trying to set up client-certificate authentication for Tomcat > 7.0.57. I have read the basics in the docs and I have my > configuration working up to a point. > > My problem is that Tomcat accepts the client's connection, but > returns HTTP status 401 for pages the user is supposed to be > authorized to access. > > I am confident the certificates and key store etc. are set up > properly because the TLS connection works with a trusted client > certificate and not with an untrusted one. :-) > > Some relevant snippets from the configuration files: > > web.xml from my web app divides the web resources into several > collections, one of which requires no authentication at all and > others require the user to belong to a particular role. For > example: > > <security-constraint> <web-resource-collection> > <web-resource-name>Public Interface</web-resource-name> > <url-pattern>/index.html</url-pattern> ... etc ... > </web-resource-collection> <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> </security-constraint> > > > <security-constraint> <web-resource-collection> > <web-resource-name>Administrator Only</web-resource-name> > <url-pattern>/admin.html</url-pattern> ... etc ... > </web-resource-collection> <auth-constraint> > <role-name>administrator</role-name> </auth-constraint> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> </security-constraint> > > The Connector is set up in server.xml as: > > <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" > clientAuth="true" maxThreads="150" scheme="https" secure="true" > keystoreFile="${catalina.home}/conf/testServer.jks" > keystorePass="changeit" > truststoreFile="${catalina.home}/conf/truststore.jks" > truststorePass="changeit" sslProtocol="TLSv1.2" /> > > And finally, my Realm is a UserDatabaseRealm: <Realm > className="org.apache.catalina.realm.UserDatabaseRealm" > resourceName="UserDatabase" digest="sha"/> > > tomcat-users.xml looks something like this: > > <tomcat-users> <role rolename="user" /> <!-- System administrators > --> <role rolename="administrator" /> <!-- System administrators > --> <user username="testClient_1" password="****redacted***" > roles="user" /> <user username="testClient_2" > password="****redacted***" roles="administrator" /> > </tomcat-users> > > Again, the symptom I am seeing is that a browser with the > testClient_2 certificate installed can connect to the web app and > access index.html, but gets an HTTP 401 error trying to access > admin.html. > > Does anyone have suggestions what I might be overlooking or how I > could isolate the cause? What do the CNs look like for your client certs? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUfMwkAAoJEBzwKT+lPKRYVjMP/28BYJZV9d5yWDfwIE5yxFAQ RvNGsIH+cbS7Oq0XKLkAImQiiNxWl02kWGEgK4WgmWcXHfMQS+MC4GjGplEUmMts cpBjCp0gad0yQ95pG62Xna1EoeVpkkOTuLFfr08Rp1YFgkTNiXLFLvoeFNKf1WqL 8y6RsslGGLHJQIPs3WkXM+s9PiO0ylDxBjoxUZpjJ8A+Dn7KtO1A5OuMoWKK2l9g C8RzGYvblGnZNJtkmgQcuc6P9f3geug0zXsvS1uRY3kohIXREtEq2hPxYEaqh+Dh lHoliseJPqaSDX6VKxiGJxMk5CmdHouFq3xdGqU3B2/OeUV5koLbc1IsaLlrg5LN pY+GiieaHvZAENd/8k7XhfVT9p5zneHyfOPFarRJbdvbbUfPw0lEjdR8td8LG/rQ 5t3Dh21pasGh5HU3wRMWB/3I+RifpNt/dC8DpLf6KqSITpXXNsPK0l/26kdrT9z4 aigdbAIXJPQDIAFYwLZjtva3WfgOOr/2j3d19Ggob4EdyS1N24AG8NWoV62FaRH/ lwsfQR9KCg1JFDx4bCm/6tX9x0M/0TcIp6xoQBLWkddZR+Mz6QNzffA/JKIPNIfb ef5TQCymlpHQzEAGhLMXkkmpGixPFyT4lBzoHp/uWZPCYHTqJkRlKrFpp5wvvQnb ZbZWjop0fNM/tuAv+Gx2 =japw -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org