You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Kevin Seguin <se...@motive.com> on 2001/08/23 23:11:36 UTC

tomcat 4 and CLIENT-CERT auth (maybe) not working properly

when i attempt to use CLIENT-CERT auth with the tomcat 4 manager webapp,
tomcat appears to still be looking for basic auth credentials.

for example, if i change web.xml in the manager webapp to look like this:

--- snip ---
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Entire Application</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
       <!-- NOTE:  This role is not present in the default users file -->
       <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>

  <login-config>
    <auth-method>CLIENT-CERT</auth-method>
  </login-config>
--- end snip ---

and configure an ssl connector along with my keystore, then try to access
the manager app from a client, i get a 401:

HTTP/1.1 401 Cannot authenticate with the provided credentials
Content-Type: text/html
Date: Thu, 23 Aug 2001 20:46:21 GMT
Server: Apache Tomcat/4.0-b8-dev (HTTP/1.1 Connector)
Connection: close
Connection: close

<html>
<head>
<title>Tomcat Error Report</title>
<br><br>
<h1>HTTP Status 
401 - Cannot authenticate with the provided credentials</h1>
</body>
</html>

two message appear to show up in the log when i send the request:

2001-08-23 16:09:14 CertificatesValve[/manager]:  verify:
SSLPeerUnverifiedException
2001-08-23 16:09:15 CertificatesValve[/manager]:  expose: Exposing converted
certificates

which, from looking through CertificatesValve.java, seems to indicate that
the client cert chain was properly verified.

from reading the servlet spec, it seems that using CLIENT-CERT should not
require me to do basic auth as well.  did i read the spec wrong, or is this
a tomcat 4 bug?

thanks,
-kevin.