You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Andrew Gronosky <ag...@bbn.com> on 2014/12/01 20:33:21 UTC
Client certificates not authenticated by realm
Hello,
I am trying to set up client-certificate authentication for Tomcat
7.0.57. I have read the basics in the docs and I have my configuration
working up to a point.
My problem is that Tomcat accepts the client's connection, but returns
HTTP status 401 for pages the user is supposed to be authorized to access.
I am confident the certificates and key store etc. are set up properly
because the TLS connection works with a trusted client certificate and
not with an untrusted one. :-)
Some relevant snippets from the configuration files:
web.xml from my web app divides the web resources into several
collections, one of which requires no authentication at all and others
require the user to belong to a particular role. For example:
<security-constraint>
<web-resource-collection>
<web-resource-name>Public Interface</web-resource-name>
<url-pattern>/index.html</url-pattern>
... etc ...
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Administrator Only</web-resource-name>
<url-pattern>/admin.html</url-pattern>
... etc ...
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
The Connector is set up in server.xml as:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
clientAuth="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="${catalina.home}/conf/testServer.jks"
keystorePass="changeit"
truststoreFile="${catalina.home}/conf/truststore.jks"
truststorePass="changeit"
sslProtocol="TLSv1.2" />
And finally, my Realm is a UserDatabaseRealm:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase" digest="sha"/>
tomcat-users.xml looks something like this:
<tomcat-users>
<role rolename="user" /> <!-- System administrators -->
<role rolename="administrator" /> <!-- System administrators -->
<user username="testClient_1" password="****redacted***" roles="user" />
<user username="testClient_2" password="****redacted***"
roles="administrator" />
</tomcat-users>
Again, the symptom I am seeing is that a browser with the testClient_2
certificate installed can connect to the web app and access index.html,
but gets an HTTP 401 error trying to access admin.html.
Does anyone have suggestions what I might be overlooking or how I could
isolate the cause?
Thanks,
--
Andrew Gronosky
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Client certificates not authenticated by realm
Posted by Andrew Gronosky <ag...@bbn.com>.
On 2014-12-01 15:14, Christopher Schultz wrote:
> What do the CNs look like for your client certs?
>
> - -chris
Hi Chris,
Thanks for the very quick reply!
For the testClient_2 client cert, the CN is:
> Owner: CN=testClient_2, OU=ATAK, O=BBN, L=Cambridge, ST=MA, C=US
> Issuer: CN=marti-ca, O=BBN, L=Cambridge, ST=MA, C=US
The CA (marti-ca) is one I made up myself and it's installed in the
browser as trusted.
--
Andrew Gronosky
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Client certificates not authenticated by realm
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Andrew,
On 12/1/14 4:32 PM, Andrew Gronosky wrote:
> Problem solved.
>
> The issue was tomcat-users.xml should contain the client's CN as
> the user name, like this:
>
> <tomcat-users> <role name="seureconn" /> <user
> username="CN=client1, OU=Application Development, O=GoSmarter,
> L=Bangalore, ST=KA, C=IN" password="null" roles="secureconn"/>
> </tomcat-users>
Yup.
> So Chris was definitely on the right track when he (I assume,
> maybe incorrectly, "Chris" is male) inquired about the CNs in my
> client certs.
+1 for male ;)
> Thanks again, Chris!
No problem.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUfOF2AAoJEBzwKT+lPKRYveAP/25xNMuvJU6/9mP/C44Tu5ub
HO8OZQMXAj2iu8jKFqT1t29NVzCbFsoWVaLdRzsCXhKRDh5jMokwVqgGpmIyqbtU
Y8f+xN7mRrDsHRoRbTcO3IKz8NpTcqldzXQPih86YZIDCyWpf2YN/HOjgv6UegQs
V/LjlxCbOZvnHL4fwN0Ya0XkrgquLKbStDkaCz5x4zTdziCpDVfvU7mf1mC0J9lE
wqrm5QZMte0edsWj5mqhodYl92pENAljvt0lrJ8kYdUE0IZ/1Pbq3zcrPcYmhPfQ
NW+TC8j22bHFJXBltUlwjYWDN5fqge2x3FQ4GTlEQ5mrhihaJlVQtQF21z0HYBc4
eTcVQvAktAKFR54mqoYRCWvF5e2qx8lPj06JSDLtWwdIemWSKr/P3Ehbj1IcuZYE
40LCbA1UMV58iP5uHZ2BbRrTtKaTLEnZPqYa+/YkjoBDYBosd16fmo+Em8KZydFo
CUOv/ROfZQolDdKdR5u704HPJNHa/rrsdQXqGP6zMiT1vbFnaUKSnU/r0/wc3oSr
w2HCS9DuerfEqIXM70d6YjrUJmNaS88mBrk1zoxziVQ7l3Flb87tW++Ag/fvpWH8
yGnOC2GylbJBGxp7gTRmgsQCzdKoDngU29E8l5TJMWJIhHRpik3/8IrPn3HQhjCe
rEyAHoSKrwZjACZKsTMM
=kCf7
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Client certificates not authenticated by realm
Posted by Andrew Gronosky <ag...@bbn.com>.
Problem solved.
The issue was tomcat-users.xml should contain the client's CN as the
user name, like this:
<tomcat-users>
<role name="seureconn" />
<user username="CN=client1, OU=Application Development, O=GoSmarter,
L=Bangalore, ST=KA, C=IN" password="null" roles="secureconn"/>
</tomcat-users>
So Chris was definitely on the right track when he (I assume, maybe
incorrectly, "Chris" is male) inquired about the CNs in my client certs.
Thanks again, Chris!
-Andrew Gronosky
On 2014-12-01 15:14, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Andrew,
>
> On 12/1/14 2:33 PM, Andrew Gronosky wrote:
>> Hello,
>>
>> I am trying to set up client-certificate authentication for Tomcat
>> 7.0.57. I have read the basics in the docs and I have my
>> configuration working up to a point.
>>
>> My problem is that Tomcat accepts the client's connection, but
>> returns HTTP status 401 for pages the user is supposed to be
>> authorized to access.
>>
>> I am confident the certificates and key store etc. are set up
>> properly because the TLS connection works with a trusted client
>> certificate and not with an untrusted one. :-)
>>
>> Some relevant snippets from the configuration files:
>>
>> web.xml from my web app divides the web resources into several
>> collections, one of which requires no authentication at all and
>> others require the user to belong to a particular role. For
>> example:
>>
>> <security-constraint> <web-resource-collection>
>> <web-resource-name>Public Interface</web-resource-name>
>> <url-pattern>/index.html</url-pattern> ... etc ...
>> </web-resource-collection> <user-data-constraint>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint> </security-constraint>
>>
>>
>> <security-constraint> <web-resource-collection>
>> <web-resource-name>Administrator Only</web-resource-name>
>> <url-pattern>/admin.html</url-pattern> ... etc ...
>> </web-resource-collection> <auth-constraint>
>> <role-name>administrator</role-name> </auth-constraint>
>> <user-data-constraint>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint> </security-constraint>
>>
>> The Connector is set up in server.xml as:
>>
>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>> clientAuth="true" maxThreads="150" scheme="https" secure="true"
>> keystoreFile="${catalina.home}/conf/testServer.jks"
>> keystorePass="changeit"
>> truststoreFile="${catalina.home}/conf/truststore.jks"
>> truststorePass="changeit" sslProtocol="TLSv1.2" />
>>
>> And finally, my Realm is a UserDatabaseRealm: <Realm
>> className="org.apache.catalina.realm.UserDatabaseRealm"
>> resourceName="UserDatabase" digest="sha"/>
>>
>> tomcat-users.xml looks something like this:
>>
>> <tomcat-users> <role rolename="user" /> <!-- System administrators
>> --> <role rolename="administrator" /> <!-- System administrators
>> --> <user username="testClient_1" password="****redacted***"
>> roles="user" /> <user username="testClient_2"
>> password="****redacted***" roles="administrator" />
>> </tomcat-users>
>>
>> Again, the symptom I am seeing is that a browser with the
>> testClient_2 certificate installed can connect to the web app and
>> access index.html, but gets an HTTP 401 error trying to access
>> admin.html.
>>
>> Does anyone have suggestions what I might be overlooking or how I
>> could isolate the cause?
> What do the CNs look like for your client certs?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUfMwkAAoJEBzwKT+lPKRYVjMP/28BYJZV9d5yWDfwIE5yxFAQ
> RvNGsIH+cbS7Oq0XKLkAImQiiNxWl02kWGEgK4WgmWcXHfMQS+MC4GjGplEUmMts
> cpBjCp0gad0yQ95pG62Xna1EoeVpkkOTuLFfr08Rp1YFgkTNiXLFLvoeFNKf1WqL
> 8y6RsslGGLHJQIPs3WkXM+s9PiO0ylDxBjoxUZpjJ8A+Dn7KtO1A5OuMoWKK2l9g
> C8RzGYvblGnZNJtkmgQcuc6P9f3geug0zXsvS1uRY3kohIXREtEq2hPxYEaqh+Dh
> lHoliseJPqaSDX6VKxiGJxMk5CmdHouFq3xdGqU3B2/OeUV5koLbc1IsaLlrg5LN
> pY+GiieaHvZAENd/8k7XhfVT9p5zneHyfOPFarRJbdvbbUfPw0lEjdR8td8LG/rQ
> 5t3Dh21pasGh5HU3wRMWB/3I+RifpNt/dC8DpLf6KqSITpXXNsPK0l/26kdrT9z4
> aigdbAIXJPQDIAFYwLZjtva3WfgOOr/2j3d19Ggob4EdyS1N24AG8NWoV62FaRH/
> lwsfQR9KCg1JFDx4bCm/6tX9x0M/0TcIp6xoQBLWkddZR+Mz6QNzffA/JKIPNIfb
> ef5TQCymlpHQzEAGhLMXkkmpGixPFyT4lBzoHp/uWZPCYHTqJkRlKrFpp5wvvQnb
> ZbZWjop0fNM/tuAv+Gx2
> =japw
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
--
Andrew Gronosky
Raytheon BBN Technologies
10 Moulton Street
Cambridge, MA 02138
voice: 617-873-3486
Re: Client certificates not authenticated by realm
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Andrew,
On 12/1/14 2:33 PM, Andrew Gronosky wrote:
> Hello,
>
> I am trying to set up client-certificate authentication for Tomcat
> 7.0.57. I have read the basics in the docs and I have my
> configuration working up to a point.
>
> My problem is that Tomcat accepts the client's connection, but
> returns HTTP status 401 for pages the user is supposed to be
> authorized to access.
>
> I am confident the certificates and key store etc. are set up
> properly because the TLS connection works with a trusted client
> certificate and not with an untrusted one. :-)
>
> Some relevant snippets from the configuration files:
>
> web.xml from my web app divides the web resources into several
> collections, one of which requires no authentication at all and
> others require the user to belong to a particular role. For
> example:
>
> <security-constraint> <web-resource-collection>
> <web-resource-name>Public Interface</web-resource-name>
> <url-pattern>/index.html</url-pattern> ... etc ...
> </web-resource-collection> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint> </security-constraint>
>
>
> <security-constraint> <web-resource-collection>
> <web-resource-name>Administrator Only</web-resource-name>
> <url-pattern>/admin.html</url-pattern> ... etc ...
> </web-resource-collection> <auth-constraint>
> <role-name>administrator</role-name> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint> </security-constraint>
>
> The Connector is set up in server.xml as:
>
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> clientAuth="true" maxThreads="150" scheme="https" secure="true"
> keystoreFile="${catalina.home}/conf/testServer.jks"
> keystorePass="changeit"
> truststoreFile="${catalina.home}/conf/truststore.jks"
> truststorePass="changeit" sslProtocol="TLSv1.2" />
>
> And finally, my Realm is a UserDatabaseRealm: <Realm
> className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase" digest="sha"/>
>
> tomcat-users.xml looks something like this:
>
> <tomcat-users> <role rolename="user" /> <!-- System administrators
> --> <role rolename="administrator" /> <!-- System administrators
> --> <user username="testClient_1" password="****redacted***"
> roles="user" /> <user username="testClient_2"
> password="****redacted***" roles="administrator" />
> </tomcat-users>
>
> Again, the symptom I am seeing is that a browser with the
> testClient_2 certificate installed can connect to the web app and
> access index.html, but gets an HTTP 401 error trying to access
> admin.html.
>
> Does anyone have suggestions what I might be overlooking or how I
> could isolate the cause?
What do the CNs look like for your client certs?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUfMwkAAoJEBzwKT+lPKRYVjMP/28BYJZV9d5yWDfwIE5yxFAQ
RvNGsIH+cbS7Oq0XKLkAImQiiNxWl02kWGEgK4WgmWcXHfMQS+MC4GjGplEUmMts
cpBjCp0gad0yQ95pG62Xna1EoeVpkkOTuLFfr08Rp1YFgkTNiXLFLvoeFNKf1WqL
8y6RsslGGLHJQIPs3WkXM+s9PiO0ylDxBjoxUZpjJ8A+Dn7KtO1A5OuMoWKK2l9g
C8RzGYvblGnZNJtkmgQcuc6P9f3geug0zXsvS1uRY3kohIXREtEq2hPxYEaqh+Dh
lHoliseJPqaSDX6VKxiGJxMk5CmdHouFq3xdGqU3B2/OeUV5koLbc1IsaLlrg5LN
pY+GiieaHvZAENd/8k7XhfVT9p5zneHyfOPFarRJbdvbbUfPw0lEjdR8td8LG/rQ
5t3Dh21pasGh5HU3wRMWB/3I+RifpNt/dC8DpLf6KqSITpXXNsPK0l/26kdrT9z4
aigdbAIXJPQDIAFYwLZjtva3WfgOOr/2j3d19Ggob4EdyS1N24AG8NWoV62FaRH/
lwsfQR9KCg1JFDx4bCm/6tX9x0M/0TcIp6xoQBLWkddZR+Mz6QNzffA/JKIPNIfb
ef5TQCymlpHQzEAGhLMXkkmpGixPFyT4lBzoHp/uWZPCYHTqJkRlKrFpp5wvvQnb
ZbZWjop0fNM/tuAv+Gx2
=japw
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org