You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christopher Williams <cc...@ntlworld.com> on 2003/10/01 17:13:14 UTC
SSL Client authentication woes
My setup:
Windows XP Pro
JDK 1.4.1
JWSDP 1.0
I'm hoping to get SSL client authentication working for web services. I set
up Tomcat for SSL ages ago and it works fine. However, I run into multiple
problems when I attempt to use SSL client authentication.
I have enabled client authentication by changing the value of "clientAuth"
in server.xml to true. I removed all <security-constraint> and
<login-config> entries from my web.xml as they didn't appear to have any
effect (question: am I right to do so? I've done my research on the web and
there are no consistent instructions for what to do).
When I access https://localhost:8443/ in Internet Explorer, I get notified
that a private key is being used and the server home page displays fine.
However, when I first access the page, the following stack trace appears on
Tomcat's console:
PoolTcpEndpoint: Handshake failed
javax.net.ssl.SSLHandshakeException: Remote host closed connection
during handshake
...
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275)
... 7 more
ThreadPool: Caught exception executing
org.apache.tomcat.util.net.TcpWorkerThread@17748d3, terminating thread
java.lang.NullPointerException
at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:512)
...
Does anybody know what the problem is here?
The second thing is, I want to know who's accessing pages and web services.
That's the whole point of authentication, right? However, when SSL client
authentication is in force, the following calls all return null:
request.getUserPrincipal()
request.getRemoteUser()
request.getAttribute("javax.servlet.request.X509Certificate")
request.getAttribute("org.apache.coyote.request.X509Certificate")
This seems most bizarre. At some point these calls must return non-null
values as they are used in
org.apache.catalina.authenticator.SSLAuthenticator. Does anybody know
whether there are any server settings to make these calls return the correct
values?
Ideally, I would like to have just one or two URL-patterns protected by SSL,
like you do with HTTP authentication rather than it being all or nothing.
Is this possible with Tomcat?
Kind regards,
Chris Williams.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: SSL Client authentication woes
Posted by Bill Barker <wb...@wilshire.com>.
"Christopher Williams" <cc...@ntlworld.com> wrote in message
news:09c101c3882e$89a8a570$6402a8c0@inmezzo.com...
> My setup:
> Windows XP Pro
> JDK 1.4.1
> JWSDP 1.0
>
> I'm hoping to get SSL client authentication working for web services. I
set
> up Tomcat for SSL ages ago and it works fine. However, I run into
multiple
> problems when I attempt to use SSL client authentication.
>
> I have enabled client authentication by changing the value of "clientAuth"
> in server.xml to true. I removed all <security-constraint> and
> <login-config> entries from my web.xml as they didn't appear to have any
> effect (question: am I right to do so? I've done my research on the web
and
> there are no consistent instructions for what to do).
>
Tomcat currently has only very light support for this, but this is
orthogonal to your current problem.
> When I access https://localhost:8443/ in Internet Explorer, I get notified
> that a private key is being used and the server home page displays fine.
> However, when I first access the page, the following stack trace appears
on
> Tomcat's console:
>
> PoolTcpEndpoint: Handshake failed
> javax.net.ssl.SSLHandshakeException: Remote host closed connection
> during handshake
> ...
> Caused by: java.io.EOFException: SSL peer shut down incorrectly
> at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275)
> ... 7 more
> ThreadPool: Caught exception executing
> org.apache.tomcat.util.net.TcpWorkerThread@17748d3, terminating thread
> java.lang.NullPointerException
> at
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:512)
> ...
>
> Does anybody know what the problem is here?
Tomcat obviously doesn't like your client-cert, or (more likely) you don't
have any. By default, only Verisign & Thwate signed client certs are
recoginized (at least with Sun's JVM). If this is your problem, then you
need to set up a TrustStore (or import the signer into cacerts). Searching
the archives for 'TrustStore' will give you an answer faster than waiting on
me.
>
> The second thing is, I want to know who's accessing pages and web
services.
> That's the whole point of authentication, right? However, when SSL client
> authentication is in force, the following calls all return null:
>
> request.getUserPrincipal()
> request.getRemoteUser()
> request.getAttribute("javax.servlet.request.X509Certificate")
> request.getAttribute("org.apache.coyote.request.X509Certificate")
>
> This seems most bizarre. At some point these calls must return non-null
> values as they are used in
> org.apache.catalina.authenticator.SSLAuthenticator. Does anybody know
> whether there are any server settings to make these calls return the
correct
> values?
>
> Ideally, I would like to have just one or two URL-patterns protected by
SSL,
> like you do with HTTP authentication rather than it being all or nothing.
> Is this possible with Tomcat?
>
This is in the FAQ.
> Kind regards,
>
> Chris Williams.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org