You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by "STANFORD, Jon-Paul, FM" <Jo...@rbos.com> on 2001/12/13 15:11:56 UTC
Client authentication implementation - user 'name' attribute = Su
bjectDN ?
Anyone,
I am having a little difficulty setting up Tomcat (4.0.1) to perform
client authentication (actually mutual). For our purposes we are happy to
use the
MemoryRealm and perform authentication of a client's certificate against
tomcat
users in this realm.
I intialially posted this to the 'user' newsgroup, but have had no
responses. But
this I guess is more related to the specific implementation of the
authentication.
The question is what do you put in the user name attribute in
conf/tomcat-users.xml?
I saw a post which indicated this must be the "SubjectDN" of the certificate
-
but what exactly is this?
I exported the Digital ID from Netscape and imported it into the
Certificates
snap-in in MMC so I could see it's details, the Subject field is as follows
-
E = jon-paul.stanford@rbos.com
CN = Joe Bloggs
OU = Digital ID Class 1 - Netscape
OU = Persona Not Validated
OU = www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98
OU = VeriSign Trust Network
O = VeriSign, Inc.
I set this as the user, but got the usual "Cannot authenticate with the
provided credentials" message - equally I tried combinations of some of the
fields.
So this would not appear to be correct, but I cannot tell whether this is
formatting
(i.e. quoted, escaped - how?) in the user name attribute or that I am doing
something wrong???
Can you confirm that the client certificate must only be installed on the
client
browser and not imported into the JSSE keystore? I can't imagine you would
have to
do this - but would like to make sure.
If anyone knows how to configure this correctly, or indeed whether Tomcat is
erally
able to do this - I would be very grateful.
The rest of my config is as follows -
Cheers,
JP
conf\server.xml
...
<Realm className="org.apache.catalina.realm.MemoryRealm" />
...
<Context path="/FXE" docBase="FXE" debug="1" reloadable="true"/>
...
conf\tomcat-users.xml
<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
<user name="role1" password="tomcat" roles="role1" />
<user name="both" password="tomcat" roles="tomcat,role1" />
<user name="E=jon-paul.stanford@rbos.com, CN=Joe Bloggs, OU=Digital
ID Class 1 - Netscape, OU=Persona Not Validated,
OU=www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98,
OU=VeriSign Trust Network, O = VeriSign, Inc." password="tomcat"
roles="tomcat"/>
</tomcat-users>
FXE\WEB-INF\web.xml
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<display-name>AServlet</display-name>
<servlet>
<servlet-name>TheServlet</servlet-name>
<servlet-class>com.rbsfm.fxe.TheServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TheServlet</servlet-name>
<url-pattern>/TheServlet</url-pattern>
</servlet-mapping>
<security-constraint>
<display-name>Role based security constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected
Area</web-resource-name>
<url-pattern>/TheServlet</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<role-name>tomcat</role-name>
</security-role>
</web-app>
Jon-Paul Stanford
eCommerce Development - Financial Markets
The Royal Bank of Scotland
135 Bishopsgate
London
EC2M 3UR
Tel: 020 7375 5360
********************************************************************
Visit our Internet site at http://www.rbsmarkets.com
This e-mail is intended only for the addressee named above.
As this e-mail may contain confidential or privileged information,
if you are not the named addressee, you are not authorised to
retain, read, copy or disseminate this message or any part of it.
********************************************************************
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>