You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Chaitresh <ch...@hotmail.com> on 2001/12/29 00:41:08 UTC

CLIENT-CERT - How do I make it work????

Hi all,

Heres what I'm using:

OS: Win 2000
Tomcat version: 4
Client Browser: IE 5+


I am trying to protect a jsp/servlet resource in my website. I want to give access to the resource if the right certificate is provided by the user. Making a ssl connection with client authentication is not a problem. This is the part of my server.xml that allows ssl with client authentication:

---- snip begin [server.xml] -----

<Connector className="org.apache.catalina.connector.http.HttpConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="0" scheme="https" secure="true">
  <Factory className="org.apache.catalina.net.SSLServerSocketFactory" clientAuth="true"  protocol="TLS"/>
</Connector>
    
---- snip end [server.xml] -----


So whenever I go to my webserver (https://localhost:8443") IE pops up a list of certificates that I can send back to the server. I select one of the many certificates that my website has given me and send it back to the server.


_Heres my problem_:

At the server I want to check the Common Name in the certificate sent by the client. I figured that I will be able to do so by getting the Principal via "request.getUserPrincipal()" and digging into it. But it returns null. Then I realized that I must make some additions/changes in the tomcat-users.xml and web.xml. But I am not really clear as to what these additions/changes are and I have not found any good resource on the web explaining the same. Heres how parts of my xml files look like:


---- snip begin [web.xml] -----

<security-constraint>
 <web-resource-collection>
 <web-resource-name>Entire Application</web-resource-name>
  <url-pattern>/*</url-pattern>
 </web-resource-collection>
 <auth-constraint>
  <role-name>tomcat</role-name>
 </auth-constraint>
</security-constraint>

<!-- Define the Login Configuration for this Application -->
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>Tomcat Manager Application</realm-name>
</login-config>

---- snip end [web.xml] -----

 

---- snip begin [tomcat-users.xml] -----

<tomcat-users>
  <user name="tomcat" password="tomcat" roles="tomcat" />
  <user name="role1"  password="tomcat" roles="role1"  />
  <user name="both"   password="tomcat" roles="tomcat,role1" />

  <!-- Common name in the clients certificate is 3763 -->
  <user name="3763"   password="tomcat" roles="tomcat"  />

</tomcat-users>

---- snip end [tomcat-users.xml] -----


The Common Name in the certificate is 3763 (the certificate I want to grant access to). However I have know idea where the password comes into picture.

I am sure things are incorrect or missing, I'd really appreciate if anyone can help me.

Thanks
-Chaitresh