You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Butler <te...@gmail.com> on 2007/01/17 17:04:13 UTC
CLIENT-CERT Authentication & JAASRealm bug?
Hi All,
I tried to config my webapp to authenticate user by CLIENT-CERT auth method.
my 1st test is using UserDatabaseRealm and add the client cert DN to
tomcat-user.xml. everything works great. However, when I tried to use
JAASRealm, it fail even my custom LoginModule always return true for
any username.
To verify my LoginModule, I tried to use "BASIC" to auth user. my
LoginModule is being called and successfully authenticate any input.
After studying Tomcat 5.5.20 source, I found that the problem is
caused by the RealmBase.java and JAASRealm.java.
In RealmBase, if CLIENT-CERT, SSLAuthenticator will call the :
public Principal authenticate(X509Certificate certs[]);
and it will only validate the certs and then call
getPrincipal(certs[0]) to get the Principal. However, in JAASRealm, it
didn't override this function and the getPrincipal function always
return null.
That means Tomcat can't use JAASRealm with CLIENT-CERT auth method.
Thanks
Butler
In server.xml :
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true" debug="99"
clientAuth="want" sslProtocol="TLS"
keystoreFile="conf/server.ks"
truststoreFile="conf/trust.ks"
/>
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="Tomcat"
userClassNames="test.UserPrincipal"
roleClassNames="test.RolePrincipal"
useContextClassLoader="false"
/>
in web.xml :
<security-role>
<role-name>cert</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Test</web-resource-name>
<url-pattern>/test/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>cert</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
--
Butler
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org