You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Butler <te...@gmail.com> on 2007/01/17 17:04:13 UTC

CLIENT-CERT Authentication & JAASRealm bug?

Hi All,

I tried to config my webapp to authenticate user by CLIENT-CERT auth method.
my 1st test is using UserDatabaseRealm and add the client cert DN to
tomcat-user.xml. everything works great. However, when I tried to use
JAASRealm, it fail even my custom LoginModule always return true for
any username.

To verify my LoginModule, I tried to use "BASIC" to auth user. my
LoginModule is being called and successfully authenticate any input.

After studying Tomcat 5.5.20 source, I found that the problem is
caused by the RealmBase.java and JAASRealm.java.

In RealmBase, if CLIENT-CERT, SSLAuthenticator will call the :

    public Principal authenticate(X509Certificate certs[]);

and it will only validate the certs and then call
getPrincipal(certs[0]) to get the Principal. However, in JAASRealm, it
didn't override this function and the getPrincipal function always
return null.

That means Tomcat can't use JAASRealm with CLIENT-CERT auth method.


Thanks
Butler



In server.xml :
   <Connector port="8443" maxHttpHeaderSize="8192"
              maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
              enableLookups="false" disableUploadTimeout="true"
              acceptCount="100" scheme="https" secure="true" debug="99"
              clientAuth="want" sslProtocol="TLS"
              keystoreFile="conf/server.ks"
              truststoreFile="conf/trust.ks"
              />


     <Realm className="org.apache.catalina.realm.JAASRealm"
            appName="Tomcat"
            userClassNames="test.UserPrincipal"
            roleClassNames="test.RolePrincipal"
            useContextClassLoader="false"
            />


in web.xml :

   <security-role>
       <role-name>cert</role-name>
   </security-role>

   <security-constraint>
       <web-resource-collection>
           <web-resource-name>Test</web-resource-name>
           <url-pattern>/test/*</url-pattern>
       </web-resource-collection>
       <auth-constraint>
           <role-name>cert</role-name>
       </auth-constraint>
       <user-data-constraint>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
   </security-constraint>

   <login-config>
     <auth-method>CLIENT-CERT</auth-method>
   </login-config>


-- 
Butler

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org