Hi All, I tried to config my webapp to authenticate user by CLIENT-CERT auth method. my 1st test is using UserDatabaseRealm and add the client cert DN to tomcat-user.xml. everything works great. However, when I tried to use JAASRealm, it fail even my custom LoginModule always return true for any username.
To verify my LoginModule, I tried to use "BASIC" to auth user. my LoginModule is being called and successfully authenticate any input. After studying Tomcat 5.5.20 source, I found that the problem is caused by the RealmBase.java and JAASRealm.java. In RealmBase, if CLIENT-CERT, SSLAuthenticator will call the : public Principal authenticate(X509Certificate certs[]); and it will only validate the certs and then call getPrincipal(certs[0]) to get the Principal. However, in JAASRealm, it didn't override this function and the getPrincipal function always return null. For my case, I can't use other type of Realm coz' I only have the CA's DN is known. I can't insert all user cert's DN to tomcat-user.xml before server start. Is there any suggestion how to implements CLIENT_CERT authentication without knowing client cert's DN? Thanks Butler In server.xml : <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" debug="99" clientAuth="want" sslProtocol="TLS" keystoreFile="conf/server.ks" truststoreFile="conf/trust.ks" /> <Realm className="org.apache.catalina.realm.JAASRealm" appName="Tomcat" userClassNames="test.UserPrincipal" roleClassNames="test.RolePrincipal" useContextClassLoader="false" /> in web.xml : <security-role> <role-name>cert</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name>Test</web-resource-name> <url-pattern>/test/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>cert</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]