You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Miguel A Paraz <mp...@mparaz.com> on 2003/12/22 10:50:22 UTC

Specifying X.509 DN's in tomcat-users.xml

Hi,
From:
http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg109699.html

On Tue, 11 Nov 2003, Bill Barker wrote:

> At the moment, only MemoryRealm supports CLIENT-CERT auth (at least from the
> Tomcat ships-with Realms).  There are patches for JNDIRealm and JDBCRealm
> floating around in Bugzilla, that should be fine if you are using Sun's JVM.
> (The Sun dependencies are basically why they are still floating :).
>
> Once you have enabled MemoryRealm (and, for versions < 4.1.29, disable the
> default DataSource), then the 'username' in tomcat-users.xml is the cert's
> DN (aka Subject).  The password can be anything you want (it is ignored for
> CLIENT-CERT auth).

I tried this like:
<user username="/C=PH/ST=NCR/L=Pasig/O=mparaz.com/OU=personal/CN=Miguel A Paraz/emailAddress=mparaz@mparaz.com" password="ignored" roles="role1"/>

But UserRealm doesn't like it.  I tried URL-escaping the '=' to '%3D' but it
was ignored. Does anyone have a working sample?  Thanks!

SEVERE: Exception creating UserDatabase MBeans for UserDatabase
javax.management.MalformedObjectNameException: Invalid character '=' in value pa
rt of property
        at javax.management.ObjectName.construct(ObjectName.java:563)
        at javax.management.ObjectName.<init>(ObjectName.java:1300)
        at org.apache.catalina.mbeans.MBeanUtils.createObjectName(MBeanUtils.jav
a:1520)
        at org.apache.catalina.mbeans.MBeanUtils.createMBean(MBeanUtils.java:783
)
        at org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.createMBe
ans(GlobalResourcesLifecycleListener.java:280)
        at org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.createMBe
ans(GlobalResourcesLifecycleListener.java:210)
        at org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.createMBe
ans(GlobalResourcesLifecycleListener.java:172)
        at org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.lifecycle
Event(GlobalResourcesLifecycleListener.java:144)
        at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(Lifecycl
eSupport.java:166)
        at org.apache.catalina.core.StandardServer.start(StandardServer.java:233
6)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:324)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:297)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:398)


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: X.509 DN's in tomcat-users.xml / MalformedObjectNameException

Posted by Miguel A Paraz <mp...@mparaz.com>.

On Tue, Dec 23, 2003 at 10:17:27PM -0800, Bill Barker wrote:
> Read again:  "At the moment, only MemoryRealm supports CLIENT-CERT auth".
> What part of this don't you understand?

OK, my typo.  When I said:

> > But UserRealm doesn't like it.  I tried URL-escaping the '=' to '%3D' but

I meant MemoryRealm, so I entered this into tomcat-users.xml:

<user username="/C=PH/ST=NCR/L=Pasig/O=mparaz.com/OU=personal/CN=Miguel A Paraz/emailAddress=mparaz@mparaz.com" 
  password="ignored" 
  roles="role1"/>

Where the username attribute comes from the DN of the OpenSSL-generated 
certificate.

The heart of my question - and the original poster's - would be how to deal
with the javax.management.MalformedObjectNameException that comes from
having '=' characters in the username.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Specifying X.509 DN's in tomcat-users.xml

Posted by Bill Barker <wb...@wilshire.com>.

Read again:  "At the moment, only MemoryRealm supports CLIENT-CERT auth".
What part of this don't you understand?

"Miguel A Paraz" <mp...@mparaz.com> wrote in message
news:20031222095022.GI14692@techscene.com...
> Hi,
> From:
> http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg109699.html
>
> On Tue, 11 Nov 2003, Bill Barker wrote:
>
> > At the moment, only MemoryRealm supports CLIENT-CERT auth (at least from
the
> > Tomcat ships-with Realms).  There are patches for JNDIRealm and
JDBCRealm
> > floating around in Bugzilla, that should be fine if you are using Sun's
JVM.
> > (The Sun dependencies are basically why they are still floating :).
> >
> > Once you have enabled MemoryRealm (and, for versions < 4.1.29, disable
the
> > default DataSource), then the 'username' in tomcat-users.xml is the
cert's
> > DN (aka Subject).  The password can be anything you want (it is ignored
for
> > CLIENT-CERT auth).
>
> I tried this like:
> <user username="/C=PH/ST=NCR/L=Pasig/O=mparaz.com/OU=personal/CN=Miguel A
Paraz/emailAddress=mparaz@mparaz.com" password="ignored" roles="role1"/>
>
> But UserRealm doesn't like it.  I tried URL-escaping the '=' to '%3D' but
it
> was ignored. Does anyone have a working sample?  Thanks!
>
> SEVERE: Exception creating UserDatabase MBeans for UserDatabase
> javax.management.MalformedObjectNameException: Invalid character '=' in
value pa
> rt of property
>         at javax.management.ObjectName.construct(ObjectName.java:563)
>         at javax.management.ObjectName.<init>(ObjectName.java:1300)
>         at
org.apache.catalina.mbeans.MBeanUtils.createObjectName(MBeanUtils.jav
> a:1520)
>         at
org.apache.catalina.mbeans.MBeanUtils.createMBean(MBeanUtils.java:783
> )
>         at
org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.createMBe
> ans(GlobalResourcesLifecycleListener.java:280)
>         at
org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.createMBe
> ans(GlobalResourcesLifecycleListener.java:210)
>         at
org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.createMBe
> ans(GlobalResourcesLifecycleListener.java:172)
>         at
org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.lifecycle
> Event(GlobalResourcesLifecycleListener.java:144)
>         at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(Lifecycl
> eSupport.java:166)
>         at
org.apache.catalina.core.StandardServer.start(StandardServer.java:233
> 6)
>         at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
> java:39)
>         at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:25)
>         at java.lang.reflect.Method.invoke(Method.java:324)
>         at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:297)
>         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:398)




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org