CLIENT-CERT Authentication & JAASRealm not working

Wed, 17 Jan 2007 00:46:31 -0800 

Hi All,

I tried to config my webapp to authenticate user by CLIENT-CERT auth method.
my 1st test is using UserDatabaseRealm and add the client cert DN to
tomcat-user.xml. everything works great. However, when I tried to use
JAASRealm, it fail even my custom LoginModule always return true for
any username.

To verify my LoginModule, I tried to use "BASIC" to auth user. my
LoginModule is being called and successfully authenticate any input.

After studying Tomcat 5.5.20 source, I found that the problem is
caused by the RealmBase.java and JAASRealm.java.

In RealmBase, if CLIENT-CERT, SSLAuthenticator will call the :

    public Principal authenticate(X509Certificate certs[]);

and it will only validate the certs and then call
getPrincipal(certs[0]) to get the Principal. However, in JAASRealm, it
didn't override this function and the getPrincipal function always
return null.


For my case, I can't use other type of Realm coz' I only have the CA's
DN is known. I can't insert all user cert's DN to tomcat-user.xml
before server start. Is there any suggestion how to implements
CLIENT_CERT authentication without knowing client cert's DN?

Thanks
Butler



In server.xml :
   <Connector port="8443" maxHttpHeaderSize="8192"
              maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
              enableLookups="false" disableUploadTimeout="true"
              acceptCount="100" scheme="https" secure="true" debug="99"
              clientAuth="want" sslProtocol="TLS"
              keystoreFile="conf/server.ks"
              truststoreFile="conf/trust.ks"
              />


     <Realm className="org.apache.catalina.realm.JAASRealm"
            appName="Tomcat"
            userClassNames="test.UserPrincipal"
            roleClassNames="test.RolePrincipal"
            useContextClassLoader="false"
            />


in web.xml :

   <security-role>
       <role-name>cert</role-name>
   </security-role>

   <security-constraint>
       <web-resource-collection>
           <web-resource-name>Test</web-resource-name>
           <url-pattern>/test/*</url-pattern>
       </web-resource-collection>
       <auth-constraint>
           <role-name>cert</role-name>
       </auth-constraint>
       <user-data-constraint>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
   </security-constraint>

   <login-config>
     <auth-method>CLIENT-CERT</auth-method>
   </login-config>

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to