Re: Authenticate with X509 certification

Sun, 08 Jun 2008 23:38:43 -0700 

No, because I want that the certificate was
required ONLY when I acces to some pages.
In fact, this is how now works, but sometimes
the method getAttribute("javax.servlet.request.X509Certificate")
returns null.

Finally, I store the certificate in the session, and get it
from there when I need it.

thanks,

  Luis

ahuelsing escribió:

Hi,

you have to set clientAuth="true"

andreas

Luis Pascual Forner schrieb:

Thanks, Bill,
I use the JIO connector.
That's my server.xml:

<?xml version="1.0" encoding="UTF-8"?>
<Server port="8006" shutdown="SHUTDOWN">

  <Listener className="org.apache.catalina.core.AprLifecycleListener" />
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> 

  <GlobalNamingResources>

    <Environment name="simpleValue" type="java.lang.Integer" value="30"/>

    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
       description="User database that can be updated and saved"
           factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
          pathname="conf/tomcat-users.xml" />

  </GlobalNamingResources>

  <Service name="Catalina">

    <Connector port="8081" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100" 
               connectionTimeout="20000" disableUploadTimeout="true" />
<Connector acceptCount="100" clientAuth="false" disableUploadTimeout="true" keystoreFile="/XXXXXXXXX/xxxxx.p12" keystorePass="XXXXXX" keystoreType="PKCS12" port="8443" scheme="https" secure="true" sslProtocol="TLS" truststoreFile="/XXXXXXXXXXXXXXX/trustcacerts" truststorePass="XXXXXXX" truststoreType="JKS"/> 

    <Connector port="8010"
enableLookups="false" redirectPort="8443" protocol="AJP/1.3" /> 

    <Engine name="Catalina" defaultHost="localhost">


      <Realm className="com.ival.tomcat.X509Realm" debug="0" />

      <Host name="localhost" appBase="webapps"
       unpackWARs="true" autoDeploy="true"
       xmlValidation="false" xmlNamespaceAware="false">

      <Context docBase="cavi" path="/cavi" reloadable="true" />
<Context docBase="x509" path="/x509" reloadable="true" allowLinking="true" /> 

      </Host>

    </Engine>

  </Service>

</Server>



Bill Barker escribió:
"Luis Pascual Forner" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] 
Hi,

  I need autheticate ONLY with client certificate (i.e., I don't want
to check any user's database) . I did that follow:

  1. I write a "X509Realm", with a method "authenticate" that
     only check the validity of each certificate in the
     certification's chain (don't check if the user exists in
     any database).
  2. Declare this new class in
     "org/apache/catalina/realm/mbeans-descriptors.xml" and
     "rg/apache/catalina/mbeans/mbeans-descriptors.xml".
  3. Edit "server.xml" and configure the realm.
  4. Edit "web.xml" to set the auth-method to "CLIENT-CERT"
  5. Put "X509Realm.class" and "mbeans-descriptors.xml" in
     "server/classes", with the correct path.
  6. Restart Tomcat.

  Now, I can authenticate with X509 certificate, and get the
client certificate with
getAttribute("javax.servlet.request.X509Certificate"). But,
sometimes, this method returns null. Why?
Almost certainly means that the client didn't send a cert. But more info on your setup would get a better response. For example are you using the APR or the JIO Connector? 


regards

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]







---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to