You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Kevin Seguin <se...@motive.com> on 2001/08/23 23:11:36 UTC
tomcat 4 and CLIENT-CERT auth (maybe) not working properly
when i attempt to use CLIENT-CERT auth with the tomcat 4 manager webapp,
tomcat appears to still be looking for basic auth credentials.
for example, if i change web.xml in the manager webapp to look like this:
--- snip ---
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- NOTE: This role is not present in the default users file -->
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
--- end snip ---
and configure an ssl connector along with my keystore, then try to access
the manager app from a client, i get a 401:
HTTP/1.1 401 Cannot authenticate with the provided credentials
Content-Type: text/html
Date: Thu, 23 Aug 2001 20:46:21 GMT
Server: Apache Tomcat/4.0-b8-dev (HTTP/1.1 Connector)
Connection: close
Connection: close
<html>
<head>
<title>Tomcat Error Report</title>
<br><br>
<h1>HTTP Status
401 - Cannot authenticate with the provided credentials</h1>
</body>
</html>
two message appear to show up in the log when i send the request:
2001-08-23 16:09:14 CertificatesValve[/manager]: verify:
SSLPeerUnverifiedException
2001-08-23 16:09:15 CertificatesValve[/manager]: expose: Exposing converted
certificates
which, from looking through CertificatesValve.java, seems to indicate that
the client cert chain was properly verified.
from reading the servlet spec, it seems that using CLIENT-CERT should not
require me to do basic auth as well. did i read the spec wrong, or is this
a tomcat 4 bug?
thanks,
-kevin.