Problem solved.
The issue was tomcat-users.xml should contain the client's CN as the
user name, like this:
<tomcat-users>
<role name="seureconn" />
<user username="CN=client1, OU=Application Development, O=GoSmarter,
L=Bangalore, ST=KA, C=IN" password="null" roles="secureconn"/>
</tomcat-users>
So Chris was definitely on the right track when he (I assume, maybe
incorrectly, "Chris" is male) inquired about the CNs in my client certs.
Thanks again, Chris!
-Andrew Gronosky
On 2014-12-01 15:14, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Andrew,
On 12/1/14 2:33 PM, Andrew Gronosky wrote:
Hello,
I am trying to set up client-certificate authentication for Tomcat
7.0.57. I have read the basics in the docs and I have my
configuration working up to a point.
My problem is that Tomcat accepts the client's connection, but
returns HTTP status 401 for pages the user is supposed to be
authorized to access.
I am confident the certificates and key store etc. are set up
properly because the TLS connection works with a trusted client
certificate and not with an untrusted one. :-)
Some relevant snippets from the configuration files:
web.xml from my web app divides the web resources into several
collections, one of which requires no authentication at all and
others require the user to belong to a particular role. For
example:
<security-constraint> <web-resource-collection>
<web-resource-name>Public Interface</web-resource-name>
<url-pattern>/index.html</url-pattern> ... etc ...
</web-resource-collection> <user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint> </security-constraint>
<security-constraint> <web-resource-collection>
<web-resource-name>Administrator Only</web-resource-name>
<url-pattern>/admin.html</url-pattern> ... etc ...
</web-resource-collection> <auth-constraint>
<role-name>administrator</role-name> </auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint> </security-constraint>
The Connector is set up in server.xml as:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
clientAuth="true" maxThreads="150" scheme="https" secure="true"
keystoreFile="${catalina.home}/conf/testServer.jks"
keystorePass="changeit"
truststoreFile="${catalina.home}/conf/truststore.jks"
truststorePass="changeit" sslProtocol="TLSv1.2" />
And finally, my Realm is a UserDatabaseRealm: <Realm
className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase" digest="sha"/>
tomcat-users.xml looks something like this:
<tomcat-users> <role rolename="user" /> <!-- System administrators
--> <role rolename="administrator" /> <!-- System administrators
--> <user username="testClient_1" password="****redacted***"
roles="user" /> <user username="testClient_2"
password="****redacted***" roles="administrator" />
</tomcat-users>
Again, the symptom I am seeing is that a browser with the
testClient_2 certificate installed can connect to the web app and
access index.html, but gets an HTTP 401 error trying to access
admin.html.
Does anyone have suggestions what I might be overlooking or how I
could isolate the cause?
What do the CNs look like for your client certs?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUfMwkAAoJEBzwKT+lPKRYVjMP/28BYJZV9d5yWDfwIE5yxFAQ
RvNGsIH+cbS7Oq0XKLkAImQiiNxWl02kWGEgK4WgmWcXHfMQS+MC4GjGplEUmMts
cpBjCp0gad0yQ95pG62Xna1EoeVpkkOTuLFfr08Rp1YFgkTNiXLFLvoeFNKf1WqL
8y6RsslGGLHJQIPs3WkXM+s9PiO0ylDxBjoxUZpjJ8A+Dn7KtO1A5OuMoWKK2l9g
C8RzGYvblGnZNJtkmgQcuc6P9f3geug0zXsvS1uRY3kohIXREtEq2hPxYEaqh+Dh
lHoliseJPqaSDX6VKxiGJxMk5CmdHouFq3xdGqU3B2/OeUV5koLbc1IsaLlrg5LN
pY+GiieaHvZAENd/8k7XhfVT9p5zneHyfOPFarRJbdvbbUfPw0lEjdR8td8LG/rQ
5t3Dh21pasGh5HU3wRMWB/3I+RifpNt/dC8DpLf6KqSITpXXNsPK0l/26kdrT9z4
aigdbAIXJPQDIAFYwLZjtva3WfgOOr/2j3d19Ggob4EdyS1N24AG8NWoV62FaRH/
lwsfQR9KCg1JFDx4bCm/6tX9x0M/0TcIp6xoQBLWkddZR+Mz6QNzffA/JKIPNIfb
ef5TQCymlpHQzEAGhLMXkkmpGixPFyT4lBzoHp/uWZPCYHTqJkRlKrFpp5wvvQnb
ZbZWjop0fNM/tuAv+Gx2
=japw
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
--
Andrew Gronosky
Raytheon BBN Technologies
10 Moulton Street
Cambridge, MA 02138
voice: 617-873-3486
