You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Butler <te...@gmail.com> on 2007/01/17 09:46:06 UTC

CLIENT-CERT Authentication & JAASRealm not working

Hi All,

I tried to config my webapp to authenticate user by CLIENT-CERT auth method.
my 1st test is using UserDatabaseRealm and add the client cert DN to
tomcat-user.xml. everything works great. However, when I tried to use
JAASRealm, it fail even my custom LoginModule always return true for
any username.

To verify my LoginModule, I tried to use "BASIC" to auth user. my
LoginModule is being called and successfully authenticate any input.

After studying Tomcat 5.5.20 source, I found that the problem is
caused by the RealmBase.java and JAASRealm.java.

In RealmBase, if CLIENT-CERT, SSLAuthenticator will call the :

     public Principal authenticate(X509Certificate certs[]);

and it will only validate the certs and then call
getPrincipal(certs[0]) to get the Principal. However, in JAASRealm, it
didn't override this function and the getPrincipal function always
return null.


For my case, I can't use other type of Realm coz' I only have the CA's
DN is known. I can't insert all user cert's DN to tomcat-user.xml
before server start. Is there any suggestion how to implements
CLIENT_CERT authentication without knowing client cert's DN?

Thanks
Butler



In server.xml :
    <Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true" debug="99"
               clientAuth="want" sslProtocol="TLS"
               keystoreFile="conf/server.ks"
               truststoreFile="conf/trust.ks"
               />


      <Realm className="org.apache.catalina.realm.JAASRealm"
             appName="Tomcat"
             userClassNames="test.UserPrincipal"
             roleClassNames="test.RolePrincipal"
             useContextClassLoader="false"
             />


in web.xml :

    <security-role>
        <role-name>cert</role-name>
    </security-role>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Test</web-resource-name>
            <url-pattern>/test/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>cert</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <login-config>
      <auth-method>CLIENT-CERT</auth-method>
    </login-config>

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org