You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Dhayanidhi sundaramoorthi <dh...@gmail.com> on 2014/05/04 01:31:17 UTC
Tomcat7 Client Certicate Authentication Using Datasource Realm Fails
Hi,
In Tomcat7, we are trying to do client certificate authentication using
datasource realm. But it fails.
Please fnd the configuration below:
server.xml:
----------------
<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<Server port="8005" shutdown="SHUTDOWN"><Listener SSLEngine="on"
className="org.apache.catalina.core.AprLifecycleListener"/>
<Listener className="org.apache.catalina.core.JasperListener"/>
<Listener
className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<Listener
className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
<!-- <GlobalNamingResources><Resource auth="Container" description="User
database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
name="UserDatabase" pathname="conf/tomcat-users.xml"
type="org.apache.catalina.UserDatabase"/>
</GlobalNamingResources> -->
<Service name="Catalina">
<Connector SSLEnabled="true" clientAuth="true" connectionTimeout="10000"
keyAlias="masfed_server_dit"
keystoreFile="/opt/ADP/keystores/masfed_server_dit.jks" keystorePass="sso@di"
maxThreads="150" port="8443"
protocol="org.apache.coyote.http11.Http11Protocol" scheme="https"
secure="true" server="Server" sslProtocol="TLS"
truststorefile="/opt/ADP/keystores/masfed_server_dit.jks"
truststorepass="sso@di" enablelookups="false"/>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
<Engine defaultHost="localhost" name="Catalina">
<!-- <Realm className="org.apache.catalina.realm.MemoryRealm"
resourceName="UserDatabase"/> -->
<!--
<Realm className="org.apache.catalina.realm.LockOutRealm"><Realm
className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
-->
<GlobalNamingResources>
<Realm className="org.apache.catalina.realm.DataSourceRealm"
dataSourceName="jdbc/FederationDS"
userTable="T_USER" userNameCol="USERNAME" userCredCol="PASSWORD"
userRoleTable="T_USER_ROLES" roleNameCol="ROLENAME" debug="99"
allRolesMode="authOnly" />
</GlobalNamingResources>
<Host appBase="webapps" autoDeploy="true" name="localhost"
unpackWARs="true"><Valve
className="org.apache.catalina.valves.AccessLogValve" directory="logs"
pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log."
suffix=".txt"/>
</Host>
</Engine>
</Service>
</Server>
security role configuration <tomcat_base>/conf/web.xml:
---------------------------------------------------------------------------------
<security-role>
<role-name>masFedClient</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>masFedClient</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<!-- <realm-name>tomcat-users</realm-name> -->
<realm-name>jdbc/FederationDS</realm-name>
</login-config>
Database has all the required tables and columns.
But authentication fails with the below mentioned error:
FINE: Checking validity for
'$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$'
May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate
FINE: Checking validity for 'CN=VeriSign Class 3 Extended Validation SSL
SGC CA, OU=Terms of use at https://www.verisign.com/rpa (c)06, OU=VeriSign
Trust Network, O="VeriSign, Inc.", C=US'
May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate
FINE: Checking validity for 'CN=VeriSign Class 3 Public Primary
Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized
use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US'
May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase getPrincipal
FINE: Got user name from X509 certificate:
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
May 03, 2014 7:16:29 PM org.apache.catalina.authenticator.AuthenticatorBase
invoke
FINE: Failed authenticate() test
For security purpose, I had mad the certificate cn name as $$$$$$$$$$.
The error message does not tell why the authentication is failing.
Do I need to enable additional logs. If so how to enable.
Request your help in fixing this issue.
Any help would be highly appreciated.
Thanks
Dhaya
Re: Tomcat7 Client Certicate Authentication Using Datasource Realm Fails
Posted by Dhayanidhi sundaramoorthi <dh...@gmail.com>.
Hi,
Please find the meaningful log again.
FINE: Authenticating client certificate chain
May 03, 2014 8:11:00 PM org.apache.catalina.realm.RealmBase authenticate
FINE: Checking validity for 'CN=ssodemo01.es.ad.adp.com, OU="DataExchange,
ADP Technologies", O="Automatic Data Processing, Inc", STREET=1 ADP Blvd.,
L=Roseland, ST=New Jersey, POSTALCODE=07068, C=US, SERIALNUMBER=0568328,
OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware,
OID.1.3.6.1.4.1.311.60.2.1.3=US'
May 03, 2014 8:11:00 PM org.apache.catalina.realm.RealmBase authenticate
FINE: Checking validity for 'CN=VeriSign Class 3 Extended Validation SSL
SGC CA, OU=Terms of use at https://www.verisign.com/rpa (c)06, OU=VeriSign
Trust Network, O="VeriSign, Inc.", C=US'
May 03, 2014 8:11:00 PM org.apache.catalina.realm.RealmBase authenticate
FINE: Checking validity for 'CN=VeriSign Class 3 Public Primary
Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized
use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US'
May 03, 2014 8:11:00 PM org.apache.catalina.realm.RealmBase getPrincipal
FINE: Got user name from X509 certificate: CN=ssodemo01.es.ad.adp.com,
OU="DataExchange, ADP Technologies", O="Automatic Data Processing, Inc",
STREET=1 ADP Blvd., L=Roseland, ST=New Jersey, POSTALCODE=07068, C=US,
SERIALNUMBER=0568328, OID.2.5.4.15=Private Organization,
OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
May 03, 2014 8:11:00 PM org.apache.catalina.authenticator.AuthenticatorBase
invoke
FINE: Failed authenticate() test
Desc T_User
Name Null Type
----------- -------- ----------
USERNAME NOT NULL CHAR(1000)
PASSWORD CHAR(24)
DESCRIPTION CHAR(500)
Desc T_Roles
Name Null Type
----------- -------- ---------
ROLENAME NOT NULL CHAR(100)
DESCRIPTION CHAR(250)
Desc T_User_Roles
Name Null Type
-------- -------- ----------
USERNAME CHAR(1000)
ROLENAME NOT NULL CHAR(100)
Appreciate your help and support.
Thanks
Dhaya
On Sat, May 3, 2014 at 8:37 PM, Martin Gainty <mg...@hotmail.com> wrote:
>
>
> > Date: Sat, 3 May 2014 19:31:17 -0400
> > Subject: Tomcat7 Client Certicate Authentication Using Datasource Realm
> Fails
> > From: dhayamoorthi2013@gmail.com
> > To: users@tomcat.apache.org
> >
> > Hi,
> >
> > In Tomcat7, we are trying to do client certificate authentication using
> > datasource realm. But it fails.
> >
> > Please fnd the configuration below:
> >
> > server.xml:
> > ----------------
> > <?xml version="1.0" encoding="UTF-8" standalone="no" ?>
> > <Server port="8005" shutdown="SHUTDOWN"><Listener SSLEngine="on"
> > className="org.apache.catalina.core.AprLifecycleListener"/>
> > <Listener className="org.apache.catalina.core.JasperListener"/>
> > <Listener
> > className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
> > <Listener
> > className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
> > <Listener
> > className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
> > <!-- <GlobalNamingResources><Resource auth="Container" description="User
> > database that can be updated and saved"
> > factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
> > name="UserDatabase" pathname="conf/tomcat-users.xml"
> > type="org.apache.catalina.UserDatabase"/>
> > </GlobalNamingResources> -->
> > <Service name="Catalina">
> > <Connector SSLEnabled="true" clientAuth="true" connectionTimeout="10000"
> > keyAlias="masfed_server_dit"
> > keystoreFile="/opt/ADP/keystores/masfed_server_dit.jks"
> keystorePass="sso@di"
> > maxThreads="150" port="8443"
> > protocol="org.apache.coyote.http11.Http11Protocol" scheme="https"
> > secure="true" server="Server" sslProtocol="TLS"
> > truststorefile="/opt/ADP/keystores/masfed_server_dit.jks"
> > truststorepass="sso@di" enablelookups="false"/>
> > <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
> > <Engine defaultHost="localhost" name="Catalina">
> > <!-- <Realm className="org.apache.catalina.realm.MemoryRealm"
> > resourceName="UserDatabase"/> -->
> > <!--
> > <Realm className="org.apache.catalina.realm.LockOutRealm"><Realm
> > className="org.apache.catalina.realm.UserDatabaseRealm"
> > resourceName="UserDatabase"/>
> > </Realm>
> > -->
> > <GlobalNamingResources>
> > <Realm className="org.apache.catalina.realm.DataSourceRealm"
> > dataSourceName="jdbc/FederationDS"
> > userTable="T_USER" userNameCol="USERNAME" userCredCol="PASSWORD"
> > userRoleTable="T_USER_ROLES" roleNameCol="ROLENAME" debug="99"
> > allRolesMode="authOnly" />
> > </GlobalNamingResources>
> >
> > <Host appBase="webapps" autoDeploy="true" name="localhost"
> > unpackWARs="true"><Valve
> > className="org.apache.catalina.valves.AccessLogValve" directory="logs"
> > pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log."
> > suffix=".txt"/>
> > </Host>
> > </Engine>
> > </Service>
> > </Server>
> >
> >
> > security role configuration <tomcat_base>/conf/web.xml:
> >
> ---------------------------------------------------------------------------------
> >
> > <security-role>
> > <role-name>masFedClient</role-name>
> > </security-role>
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>all</web-resource-name>
> > <url-pattern>/*</url-pattern>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>masFedClient</role-name>
> > </auth-constraint>
> > <user-data-constraint>
> > <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > </user-data-constraint>
> > </security-constraint>
> > <login-config>
> > <auth-method>CLIENT-CERT</auth-method>
> > <!-- <realm-name>tomcat-users</realm-name> -->
> > <realm-name>jdbc/FederationDS</realm-name>
> > </login-config>
> >
> > Database has all the required tables and columns.
> >
> > But authentication fails with the below mentioned error:
> >
> > FINE: Checking validity for
> > '$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$'
> MG>this is an insane value..change it to something meaningful using
> [A-Z][O-9] characters
> MG>besides which your user_name length is WAY beyond the 15 byte
> allocation for the table
> create table T_USER
> (
> user_name varchar(15) not null primary key,
> user_pass varchar(15) not null
> );
> MG>
>
> > May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate
> > FINE: Checking validity for 'CN=VeriSign Class 3 Extended Validation SSL
> > SGC CA, OU=Terms of use at https://www.verisign.com/rpa (c)06,
> OU=VeriSign
> > Trust Network, O="VeriSign, Inc.", C=US'
> > May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate
> > FINE: Checking validity for 'CN=VeriSign Class 3 Public Primary
> > Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For
> authorized
> > use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US'
> > May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase getPrincipal
> > FINE: Got user name from X509 certificate:
> > $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
> > May 03, 2014 7:16:29 PM
> org.apache.catalina.authenticator.AuthenticatorBase
> > invoke
> > FINE: Failed authenticate() test
> >
> > For security purpose, I had mad the certificate cn name as $$$$$$$$$$.
> MG>cn is ROLE not the user_name
> MG>https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html
>
> > The error message does not tell why the authentication is failing.
> MG>yes it does ..it cannot authenticate
> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
>
> > Do I need to enable additional logs. If so how to enable.
> >
> > Request your help in fixing this issue.
> > Any help would be highly appreciated.
> >
> > Thanks
> > Dhaya
>
>
RE: Tomcat7 Client Certicate Authentication Using Datasource Realm
Fails
Posted by Martin Gainty <mg...@hotmail.com>.
> Date: Sat, 3 May 2014 19:31:17 -0400
> Subject: Tomcat7 Client Certicate Authentication Using Datasource Realm Fails
> From: dhayamoorthi2013@gmail.com
> To: users@tomcat.apache.org
>
> Hi,
>
> In Tomcat7, we are trying to do client certificate authentication using
> datasource realm. But it fails.
>
> Please fnd the configuration below:
>
> server.xml:
> ----------------
> <?xml version="1.0" encoding="UTF-8" standalone="no" ?>
> <Server port="8005" shutdown="SHUTDOWN"><Listener SSLEngine="on"
> className="org.apache.catalina.core.AprLifecycleListener"/>
> <Listener className="org.apache.catalina.core.JasperListener"/>
> <Listener
> className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
> <Listener
> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
> <Listener
> className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
> <!-- <GlobalNamingResources><Resource auth="Container" description="User
> database that can be updated and saved"
> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
> name="UserDatabase" pathname="conf/tomcat-users.xml"
> type="org.apache.catalina.UserDatabase"/>
> </GlobalNamingResources> -->
> <Service name="Catalina">
> <Connector SSLEnabled="true" clientAuth="true" connectionTimeout="10000"
> keyAlias="masfed_server_dit"
> keystoreFile="/opt/ADP/keystores/masfed_server_dit.jks" keystorePass="sso@di"
> maxThreads="150" port="8443"
> protocol="org.apache.coyote.http11.Http11Protocol" scheme="https"
> secure="true" server="Server" sslProtocol="TLS"
> truststorefile="/opt/ADP/keystores/masfed_server_dit.jks"
> truststorepass="sso@di" enablelookups="false"/>
> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
> <Engine defaultHost="localhost" name="Catalina">
> <!-- <Realm className="org.apache.catalina.realm.MemoryRealm"
> resourceName="UserDatabase"/> -->
> <!--
> <Realm className="org.apache.catalina.realm.LockOutRealm"><Realm
> className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase"/>
> </Realm>
> -->
> <GlobalNamingResources>
> <Realm className="org.apache.catalina.realm.DataSourceRealm"
> dataSourceName="jdbc/FederationDS"
> userTable="T_USER" userNameCol="USERNAME" userCredCol="PASSWORD"
> userRoleTable="T_USER_ROLES" roleNameCol="ROLENAME" debug="99"
> allRolesMode="authOnly" />
> </GlobalNamingResources>
>
> <Host appBase="webapps" autoDeploy="true" name="localhost"
> unpackWARs="true"><Valve
> className="org.apache.catalina.valves.AccessLogValve" directory="logs"
> pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log."
> suffix=".txt"/>
> </Host>
> </Engine>
> </Service>
> </Server>
>
>
> security role configuration <tomcat_base>/conf/web.xml:
> ---------------------------------------------------------------------------------
>
> <security-role>
> <role-name>masFedClient</role-name>
> </security-role>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>all</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>masFedClient</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> <!-- <realm-name>tomcat-users</realm-name> -->
> <realm-name>jdbc/FederationDS</realm-name>
> </login-config>
>
> Database has all the required tables and columns.
>
> But authentication fails with the below mentioned error:
>
> FINE: Checking validity for
> '$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$'
MG>this is an insane value..change it to something meaningful using [A-Z][O-9] characters
MG>besides which your user_name length is WAY beyond the 15 byte allocation for the table
create table T_USER
(
user_name varchar(15) not null primary key,
user_pass varchar(15) not null
);
MG>
> May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate
> FINE: Checking validity for 'CN=VeriSign Class 3 Extended Validation SSL
> SGC CA, OU=Terms of use at https://www.verisign.com/rpa (c)06, OU=VeriSign
> Trust Network, O="VeriSign, Inc.", C=US'
> May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate
> FINE: Checking validity for 'CN=VeriSign Class 3 Public Primary
> Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized
> use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US'
> May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase getPrincipal
> FINE: Got user name from X509 certificate:
> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
> May 03, 2014 7:16:29 PM org.apache.catalina.authenticator.AuthenticatorBase
> invoke
> FINE: Failed authenticate() test
>
> For security purpose, I had mad the certificate cn name as $$$$$$$$$$.
MG>cn is ROLE not the user_name
MG>https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html
> The error message does not tell why the authentication is failing.
MG>yes it does ..it cannot authenticate $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
> Do I need to enable additional logs. If so how to enable.
>
> Request your help in fixing this issue.
> Any help would be highly appreciated.
>
> Thanks
> Dhaya
Re: Tomcat7 Client Certicate Authentication Using Datasource Realm Fails
Posted by Dhayanidhi sundaramoorthi <dh...@gmail.com>.
Hi,
I have moved the realm configuration inside <host > tag
<Host appBase="webapps" autoDeploy="true" name="localhost"
unpackWARs="true"><Valve
className="org.apache.catalina.valves.AccessLogValve" directory="logs"
pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log."
suffix=".txt"/>
<Realm className="org.apache.catalina.realm.DataSourceRealm"
dataSourceName="jdbc/FederationDS"
userTable="T_USER" userNameCol="USERNAME" userCredCol="PASSWORD"
userRoleTable="T_USER_ROLES" roleNameCol="ROLENAME" debug="99"
allRolesMode="authOnly" />
</Host>
Still I get the same below mentioned error.
May 04, 2014 11:10:11 AM org.apache.catalina.realm.RealmBase
hasResourcePermission
FINE: No role found: masFedClient
May 04, 2014 11:10:11 AM org.apache.catalina.realm.RealmBase
hasResourcePermission
FINE: Checking for all roles mode: authOnly
May 04, 2014 11:10:11 AM
org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Failed accessControl() test
please suggest.
Thanks
Dhaya
On Sun, May 4, 2014 at 10:40 AM, Konstantin Kolinko
<kn...@gmail.com>wrote:
> 2014-05-04 17:24 GMT+04:00 Dhayanidhi sundaramoorthi
> <dh...@gmail.com>:
> > Hi,
> >
> > Thanks for your response.
> >
> > Can you pls let me know the exact location where I am supposed to
> configure
> > the realm in server.xml?
>
> It belongs to a "container" (Context, Host or Engine).
> In server.xml that will be <Host> or <Engine>.
> http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html
>
>
> > If I place the configuration in <tomcat_base>/conf/web.xml, the
> > configuration is applicable for all the web apps.
> > I want all the webapplication needs to be protected.
>
> If you know what you are doing... OK.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat7 Client Certicate Authentication Using Datasource Realm Fails
Posted by Konstantin Kolinko <kn...@gmail.com>.
2014-05-04 17:24 GMT+04:00 Dhayanidhi sundaramoorthi
<dh...@gmail.com>:
> Hi,
>
> Thanks for your response.
>
> Can you pls let me know the exact location where I am supposed to configure
> the realm in server.xml?
It belongs to a "container" (Context, Host or Engine).
In server.xml that will be <Host> or <Engine>.
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html
> If I place the configuration in <tomcat_base>/conf/web.xml, the
> configuration is applicable for all the web apps.
> I want all the webapplication needs to be protected.
If you know what you are doing... OK.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat7 Client Certicate Authentication Using Datasource Realm Fails
Posted by Dhayanidhi sundaramoorthi <dh...@gmail.com>.
Hi,
Thanks for your response.
Can you pls let me know the exact location where I am supposed to configure
the realm in server.xml?
If I place the configuration in <tomcat_base>/conf/web.xml, the
configuration is applicable for all the web apps.
I want all the webapplication needs to be protected.
Thanks
Dhaya
On Sun, May 4, 2014 at 8:27 AM, Konstantin Kolinko
<kn...@gmail.com>wrote:
> 2014-05-04 3:31 GMT+04:00 Dhayanidhi sundaramoorthi
> <dh...@gmail.com>:
> > Hi,
> >
> > In Tomcat7, we are trying to do client certificate authentication using
> > datasource realm. But it fails.
> >
> > Please fnd the configuration below:
> >
> > server.xml:
> > ----------------
> > <?xml version="1.0" encoding="UTF-8" standalone="no" ?>
> > <Server port="8005" shutdown="SHUTDOWN"><Listener SSLEngine="on"
> > className="org.apache.catalina.core.AprLifecycleListener"/>
> > <Listener className="org.apache.catalina.core.JasperListener"/>
> > <Listener
> > className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
> > <Listener
> > className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
> > <Listener
> > className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
> > <!-- <GlobalNamingResources><Resource auth="Container" description="User
> > database that can be updated and saved"
> > factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
> > name="UserDatabase" pathname="conf/tomcat-users.xml"
> > type="org.apache.catalina.UserDatabase"/>
> > </GlobalNamingResources> -->
> > <Service name="Catalina">
> > <Connector SSLEnabled="true" clientAuth="true" connectionTimeout="10000"
> > keyAlias="masfed_server_dit"
> > keystoreFile="/opt/ADP/keystores/masfed_server_dit.jks"
> keystorePass="sso@di"
>
> It is a public list, do you know? You may want to change your passwords.
>
> > maxThreads="150" port="8443"
> > protocol="org.apache.coyote.http11.Http11Protocol" scheme="https"
> > secure="true" server="Server" sslProtocol="TLS"
> > truststorefile="/opt/ADP/keystores/masfed_server_dit.jks"
> > truststorepass="sso@di" enablelookups="false"/>
> > <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
> > <Engine defaultHost="localhost" name="Catalina">
> > <GlobalNamingResources>
> > <Realm className="org.apache.catalina.realm.DataSourceRealm"
> > dataSourceName="jdbc/FederationDS"
> > userTable="T_USER" userNameCol="USERNAME" userCredCol="PASSWORD"
> > userRoleTable="T_USER_ROLES" roleNameCol="ROLENAME" debug="99"
> > allRolesMode="authOnly" />
>
> This is a wrong place for a <Realm> element. Here it will be silently
> ignored.
>
> When parsing server.xml only known and expected XML elements are
> recognized. All others are silently ignored.
>
> I do not see a DataSource configuration anywhere.
>
> > </GlobalNamingResources>
> >
> > <Host appBase="webapps" autoDeploy="true" name="localhost"
> > unpackWARs="true"><Valve
> > className="org.apache.catalina.valves.AccessLogValve" directory="logs"
> > pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log."
> > suffix=".txt"/>
> > </Host>
> > </Engine>
> > </Service>
> > </Server>
> >
> >
> > security role configuration <tomcat_base>/conf/web.xml:
>
> The conf/web.xml file is a wrong place for your configuration.
> It should be in your webapp's own WEB-INF/web.xml file, not in the global
> one.
>
> >
> ---------------------------------------------------------------------------------
> >
> > <security-role>
> > <role-name>masFedClient</role-name>
> > </security-role>
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>all</web-resource-name>
> > <url-pattern>/*</url-pattern>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>masFedClient</role-name>
> > </auth-constraint>
> > <user-data-constraint>
> > <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > </user-data-constraint>
> > </security-constraint>
> > <login-config>
> > <auth-method>CLIENT-CERT</auth-method>
> > <!-- <realm-name>tomcat-users</realm-name> -->
> > <realm-name>jdbc/FederationDS</realm-name>
>
> The realm-name is the message shown to users when using DIGEST or
> BASIC authentication.
> It has not relation to Tomcat's realms.
>
> > </login-config>
> >
> > Database has all the required tables and columns.
> >
> (...)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat7 Client Certicate Authentication Using Datasource Realm Fails
Posted by Konstantin Kolinko <kn...@gmail.com>.
2014-05-04 3:31 GMT+04:00 Dhayanidhi sundaramoorthi
<dh...@gmail.com>:
> Hi,
>
> In Tomcat7, we are trying to do client certificate authentication using
> datasource realm. But it fails.
>
> Please fnd the configuration below:
>
> server.xml:
> ----------------
> <?xml version="1.0" encoding="UTF-8" standalone="no" ?>
> <Server port="8005" shutdown="SHUTDOWN"><Listener SSLEngine="on"
> className="org.apache.catalina.core.AprLifecycleListener"/>
> <Listener className="org.apache.catalina.core.JasperListener"/>
> <Listener
> className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
> <Listener
> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
> <Listener
> className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
> <!-- <GlobalNamingResources><Resource auth="Container" description="User
> database that can be updated and saved"
> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
> name="UserDatabase" pathname="conf/tomcat-users.xml"
> type="org.apache.catalina.UserDatabase"/>
> </GlobalNamingResources> -->
> <Service name="Catalina">
> <Connector SSLEnabled="true" clientAuth="true" connectionTimeout="10000"
> keyAlias="masfed_server_dit"
> keystoreFile="/opt/ADP/keystores/masfed_server_dit.jks" keystorePass="sso@di"
It is a public list, do you know? You may want to change your passwords.
> maxThreads="150" port="8443"
> protocol="org.apache.coyote.http11.Http11Protocol" scheme="https"
> secure="true" server="Server" sslProtocol="TLS"
> truststorefile="/opt/ADP/keystores/masfed_server_dit.jks"
> truststorepass="sso@di" enablelookups="false"/>
> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
> <Engine defaultHost="localhost" name="Catalina">
> <GlobalNamingResources>
> <Realm className="org.apache.catalina.realm.DataSourceRealm"
> dataSourceName="jdbc/FederationDS"
> userTable="T_USER" userNameCol="USERNAME" userCredCol="PASSWORD"
> userRoleTable="T_USER_ROLES" roleNameCol="ROLENAME" debug="99"
> allRolesMode="authOnly" />
This is a wrong place for a <Realm> element. Here it will be silently ignored.
When parsing server.xml only known and expected XML elements are
recognized. All others are silently ignored.
I do not see a DataSource configuration anywhere.
> </GlobalNamingResources>
>
> <Host appBase="webapps" autoDeploy="true" name="localhost"
> unpackWARs="true"><Valve
> className="org.apache.catalina.valves.AccessLogValve" directory="logs"
> pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log."
> suffix=".txt"/>
> </Host>
> </Engine>
> </Service>
> </Server>
>
>
> security role configuration <tomcat_base>/conf/web.xml:
The conf/web.xml file is a wrong place for your configuration.
It should be in your webapp's own WEB-INF/web.xml file, not in the global one.
> ---------------------------------------------------------------------------------
>
> <security-role>
> <role-name>masFedClient</role-name>
> </security-role>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>all</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>masFedClient</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> <!-- <realm-name>tomcat-users</realm-name> -->
> <realm-name>jdbc/FederationDS</realm-name>
The realm-name is the message shown to users when using DIGEST or
BASIC authentication.
It has not relation to Tomcat's realms.
> </login-config>
>
> Database has all the required tables and columns.
>
(...)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org