-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Andrew,
On 12/1/14 2:33 PM, Andrew Gronosky wrote:
> Hello,
>
> I am trying to set up client-certificate authentication for Tomcat
> 7.0.57. I have read the basics in the docs and I have my
> configuration working up to a point.
>
> My problem is that Tomcat accepts the client's connection, but
> returns HTTP status 401 for pages the user is supposed to be
> authorized to access.
>
> I am confident the certificates and key store etc. are set up
> properly because the TLS connection works with a trusted client
> certificate and not with an untrusted one. :-)
>
> Some relevant snippets from the configuration files:
>
> web.xml from my web app divides the web resources into several
> collections, one of which requires no authentication at all and
> others require the user to belong to a particular role. For
> example:
>
> <security-constraint> <web-resource-collection>
> <web-resource-name>Public Interface</web-resource-name>
> <url-pattern>/index.html</url-pattern> ... etc ...
> </web-resource-collection> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint> </security-constraint>
>
>
> <security-constraint> <web-resource-collection>
> <web-resource-name>Administrator Only</web-resource-name>
> <url-pattern>/admin.html</url-pattern> ... etc ...
> </web-resource-collection> <auth-constraint>
> <role-name>administrator</role-name> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint> </security-constraint>
>
> The Connector is set up in server.xml as:
>
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> clientAuth="true" maxThreads="150" scheme="https" secure="true"
> keystoreFile="${catalina.home}/conf/testServer.jks"
> keystorePass="changeit"
> truststoreFile="${catalina.home}/conf/truststore.jks"
> truststorePass="changeit" sslProtocol="TLSv1.2" />
>
> And finally, my Realm is a UserDatabaseRealm: <Realm
> className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase" digest="sha"/>
>
> tomcat-users.xml looks something like this:
>
> <tomcat-users> <role rolename="user" /> <!-- System administrators
> --> <role rolename="administrator" /> <!-- System administrators
> --> <user username="testClient_1" password="****redacted***"
> roles="user" /> <user username="testClient_2"
> password="****redacted***" roles="administrator" />
> </tomcat-users>
>
> Again, the symptom I am seeing is that a browser with the
> testClient_2 certificate installed can connect to the web app and
> access index.html, but gets an HTTP 401 error trying to access
> admin.html.
>
> Does anyone have suggestions what I might be overlooking or how I
> could isolate the cause?
What do the CNs look like for your client certs?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUfMwkAAoJEBzwKT+lPKRYVjMP/28BYJZV9d5yWDfwIE5yxFAQ
RvNGsIH+cbS7Oq0XKLkAImQiiNxWl02kWGEgK4WgmWcXHfMQS+MC4GjGplEUmMts
cpBjCp0gad0yQ95pG62Xna1EoeVpkkOTuLFfr08Rp1YFgkTNiXLFLvoeFNKf1WqL
8y6RsslGGLHJQIPs3WkXM+s9PiO0ylDxBjoxUZpjJ8A+Dn7KtO1A5OuMoWKK2l9g
C8RzGYvblGnZNJtkmgQcuc6P9f3geug0zXsvS1uRY3kohIXREtEq2hPxYEaqh+Dh
lHoliseJPqaSDX6VKxiGJxMk5CmdHouFq3xdGqU3B2/OeUV5koLbc1IsaLlrg5LN
pY+GiieaHvZAENd/8k7XhfVT9p5zneHyfOPFarRJbdvbbUfPw0lEjdR8td8LG/rQ
5t3Dh21pasGh5HU3wRMWB/3I+RifpNt/dC8DpLf6KqSITpXXNsPK0l/26kdrT9z4
aigdbAIXJPQDIAFYwLZjtva3WfgOOr/2j3d19Ggob4EdyS1N24AG8NWoV62FaRH/
lwsfQR9KCg1JFDx4bCm/6tX9x0M/0TcIp6xoQBLWkddZR+Mz6QNzffA/JKIPNIfb
ef5TQCymlpHQzEAGhLMXkkmpGixPFyT4lBzoHp/uWZPCYHTqJkRlKrFpp5wvvQnb
ZbZWjop0fNM/tuAv+Gx2
=japw
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
