You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ivo Matheis <iv...@web.de> on 2003/08/01 12:56:06 UTC
Client Authentication in combination with a realm
Hi,
I'm using Tomcat 4.0.6 and configured it for client authentication. This works fine.
Then I tried to add a realm to a certain webapp in order to control access. As I have read in several sources either the client certificates Common Name or the complete Distinguished name are used to identify the user (i.e. CN or DN must be identical to username in Tomcat's users.xml-file in order to identify the user.).
I tried both the CN or DN string as username in users.xml, but when accessing the secured webapp I get a 401 - Cannot authenticate with the provided credentials...
What is wrong? Does that kind of authentication not work with users.xml?
Thanks, Ivo
PS: this is a snippet of my secured webapp's web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>foo client auth</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>foo</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>foobar</realm-name>
</login-config>
<security-role>
<role-name>foo</role-name>
</security-role>
<!-- my client certificate's CNis "Ivo Matheis -->
<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
<user name="Ivo Matheis" password="null" roles="foo" />
</tomcat-users>
______________________________________________________________________________
Spam-Filter fuer alle - bester Spam-Schutz laut ComputerBild 15-03
WEB.DE FreeMail - Deutschlands beste E-Mail - http://s.web.de/?mc=021120