You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Miguel A Paraz <mp...@mparaz.com> on 2003/12/22 10:50:22 UTC
Specifying X.509 DN's in tomcat-users.xml
Hi,
From:
http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg109699.html
On Tue, 11 Nov 2003, Bill Barker wrote:
> At the moment, only MemoryRealm supports CLIENT-CERT auth (at least from the
> Tomcat ships-with Realms). There are patches for JNDIRealm and JDBCRealm
> floating around in Bugzilla, that should be fine if you are using Sun's JVM.
> (The Sun dependencies are basically why they are still floating :).
>
> Once you have enabled MemoryRealm (and, for versions < 4.1.29, disable the
> default DataSource), then the 'username' in tomcat-users.xml is the cert's
> DN (aka Subject). The password can be anything you want (it is ignored for
> CLIENT-CERT auth).
I tried this like:
<user username="/C=PH/ST=NCR/L=Pasig/O=mparaz.com/OU=personal/CN=Miguel A Paraz/emailAddress=mparaz@mparaz.com" password="ignored" roles="role1"/>
But UserRealm doesn't like it. I tried URL-escaping the '=' to '%3D' but it
was ignored. Does anyone have a working sample? Thanks!
SEVERE: Exception creating UserDatabase MBeans for UserDatabase
javax.management.MalformedObjectNameException: Invalid character '=' in value pa
rt of property
at javax.management.ObjectName.construct(ObjectName.java:563)
at javax.management.ObjectName.<init>(ObjectName.java:1300)
at org.apache.catalina.mbeans.MBeanUtils.createObjectName(MBeanUtils.jav
a:1520)
at org.apache.catalina.mbeans.MBeanUtils.createMBean(MBeanUtils.java:783
)
at org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.createMBe
ans(GlobalResourcesLifecycleListener.java:280)
at org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.createMBe
ans(GlobalResourcesLifecycleListener.java:210)
at org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.createMBe
ans(GlobalResourcesLifecycleListener.java:172)
at org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.lifecycle
Event(GlobalResourcesLifecycleListener.java:144)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(Lifecycl
eSupport.java:166)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:233
6)
at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:297)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:398)
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: X.509 DN's in tomcat-users.xml / MalformedObjectNameException
Posted by Miguel A Paraz <mp...@mparaz.com>.
On Tue, Dec 23, 2003 at 10:17:27PM -0800, Bill Barker wrote:
> Read again: "At the moment, only MemoryRealm supports CLIENT-CERT auth".
> What part of this don't you understand?
OK, my typo. When I said:
> > But UserRealm doesn't like it. I tried URL-escaping the '=' to '%3D' but
I meant MemoryRealm, so I entered this into tomcat-users.xml:
<user username="/C=PH/ST=NCR/L=Pasig/O=mparaz.com/OU=personal/CN=Miguel A Paraz/emailAddress=mparaz@mparaz.com"
password="ignored"
roles="role1"/>
Where the username attribute comes from the DN of the OpenSSL-generated
certificate.
The heart of my question - and the original poster's - would be how to deal
with the javax.management.MalformedObjectNameException that comes from
having '=' characters in the username.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Specifying X.509 DN's in tomcat-users.xml
Posted by Bill Barker <wb...@wilshire.com>.
Read again: "At the moment, only MemoryRealm supports CLIENT-CERT auth".
What part of this don't you understand?
"Miguel A Paraz" <mp...@mparaz.com> wrote in message
news:20031222095022.GI14692@techscene.com...
> Hi,
> From:
> http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg109699.html
>
> On Tue, 11 Nov 2003, Bill Barker wrote:
>
> > At the moment, only MemoryRealm supports CLIENT-CERT auth (at least from
the
> > Tomcat ships-with Realms). There are patches for JNDIRealm and
JDBCRealm
> > floating around in Bugzilla, that should be fine if you are using Sun's
JVM.
> > (The Sun dependencies are basically why they are still floating :).
> >
> > Once you have enabled MemoryRealm (and, for versions < 4.1.29, disable
the
> > default DataSource), then the 'username' in tomcat-users.xml is the
cert's
> > DN (aka Subject). The password can be anything you want (it is ignored
for
> > CLIENT-CERT auth).
>
> I tried this like:
> <user username="/C=PH/ST=NCR/L=Pasig/O=mparaz.com/OU=personal/CN=Miguel A
Paraz/emailAddress=mparaz@mparaz.com" password="ignored" roles="role1"/>
>
> But UserRealm doesn't like it. I tried URL-escaping the '=' to '%3D' but
it
> was ignored. Does anyone have a working sample? Thanks!
>
> SEVERE: Exception creating UserDatabase MBeans for UserDatabase
> javax.management.MalformedObjectNameException: Invalid character '=' in
value pa
> rt of property
> at javax.management.ObjectName.construct(ObjectName.java:563)
> at javax.management.ObjectName.<init>(ObjectName.java:1300)
> at
org.apache.catalina.mbeans.MBeanUtils.createObjectName(MBeanUtils.jav
> a:1520)
> at
org.apache.catalina.mbeans.MBeanUtils.createMBean(MBeanUtils.java:783
> )
> at
org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.createMBe
> ans(GlobalResourcesLifecycleListener.java:280)
> at
org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.createMBe
> ans(GlobalResourcesLifecycleListener.java:210)
> at
org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.createMBe
> ans(GlobalResourcesLifecycleListener.java:172)
> at
org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.lifecycle
> Event(GlobalResourcesLifecycleListener.java:144)
> at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(Lifecycl
> eSupport.java:166)
> at
org.apache.catalina.core.StandardServer.start(StandardServer.java:233
> 6)
> at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
> java:39)
> at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:324)
> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:297)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:398)
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org