You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by "Craig R. McClanahan" <Cr...@eng.sun.com> on 2001/01/12 17:59:56 UTC
Re: possible problem with CLIENT-CERT login and security constraint on
TOMCAT 4.0
jerome.camilleri@bull.net wrote:
>
> Hi,
>
> I try to configure TOMCAT server to authenticate client with certificate on
> HTTPS protocol.
>
> My connector is configure to accept request on 8443 port like this :
> <Connector className="org.apache.catalina.connector.http.HttpConnector"
> port="8443" minProcessors="5" maxProcessors="75"
> acceptCount="10" debug="0" scheme="https" secure="true">
> <Factory className="org.apache.catalina.net.SSLServerSocketFactory"
> clientAuth="true" protocol="TLS" keystorePass="password1"/>
> </Connector>
>
> My tomcat-user.xml file is configured with a new entry that match the
> getSubjectDN().getName() of client certificat used :
> <tomcat-users>
> <user name="tomcat" password="tomcat" roles="tomcat" />
> <user name="role1" password="tomcat" roles="role1" />
> <user name="both" password="tomcat" roles="tomcat,role1" />
> <user name="OID.0.9.2342.19200300.100.1.1=mvittel, CN=michel vittel,
> O=frec.bull.fr" password="tomcat" roles="tomcat,role1" />
> </tomcat-users>
>
> I also uncomment the security constraint on my web.xml file like this
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>The Entire Web Application</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>tomcat</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> <realm-name>Tomcat Supported Realm</realm-name>
> </login-config>
>
> <security-role>
> <description>
> An example role defined in "conf/tomcat-users.xml"
> </description>
> <role-name>tomcat</role-name>
> </security-role>
>
> My problem is when I try to connect on my tomcat serveur I have always the
> same message :
> HTTP Error 403 - Forbidden
>
> Possibly reasons :
> I try to compare BASIC authenticator and CLIENT-CERT authenticator.
> * BasicAuthenticator class register an MemoryRealmPrincipal object return
> by the MemoryRealm class
> * SSLAuthenticator class register an Principal object with is simply
> return by certs[0].getSubjectDN() method (and has no role associated)
>
> When I modified a little bit the SSLAuthenticator class to find on the
> MemoryRealm the MemoryRealmPrincipal
> associated with the username = certs[0].getSubjectDN().getName() ( with no
> password) that seems run better...
>
> Excuse me, if it's a know limitation, a bug already know or a bad settings ...
>
>
>
> Jérôme
In order to use CLIENT-CERT authentication, you *must* set up a user in whatever
Realm is used for authentication, with a username equal to
certs[0].getSubjectDN(). This is needed for the following reasons:
* To know that this is a valid user for *this* application,
(not just that the certificate is valid)
* To know what roles are assigned to this user for
*this* application.
If you are using the default Realm implementation, this means you must add an
entry to $CATALINA_HOME/conf/tomcat-users.xml for this user.
Craig McClanahan