You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "STANFORD, Jon-Paul, FM" <Jo...@rbos.com> on 2001/12/12 18:18:12 UTC
SubjectDN for client authentication Tomcat 4.0.1?
Anyone,
I am having a little difficulty setting up Tomcat (4.0.1) to perform
client
authentication. For our purposes we are happy to use the MemoryRealm and
perform
authentication of a client's certificate against tomcat users in this realm.
The question is what do you put in the user name attribute in
conf/tomcat-users.xml?
I saw a post which indicated this must be the SubjectDN of the certificate -
but what
exactly is this? I exported the Digital ID from Netscape and imported it
into the
Certificates snap-in in MMC so I could see it's details - the Subject field
is as follows -
E = jon-paul.stanford@rbos.com
CN = Joe Bloggs
OU = Digital ID Class 1 - Netscape
OU = Persona Not Validated
OU = www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98
OU = VeriSign Trust Network
O = VeriSign, Inc.
I set this as the user, but got the usual "Cannot authenticate with the
provided
credentials" message. So this would not appear to be correct, but I cannot
tell
whether this is formatting or that I am doing something wrong.
If anyone knows how to configure this correctly, I would be very grateful.
The rest of my config is as follows -
Cheers,
JP
conf\server.xml
...
<Realm className="org.apache.catalina.realm.MemoryRealm" />
...
<Context path="/FXE" docBase="FXE" debug="1" reloadable="true"/>
...
conf\tomcat-users.xml
<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
<user name="role1" password="tomcat" roles="role1" />
<user name="both" password="tomcat" roles="tomcat,role1" />
<user name="E=jon-paul.stanford@rbos.com, CN=Joe Bloggs, OU=Digital
ID Class 1 - Netscape, OU=Persona Not Validated,
OU=www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98,
OU=VeriSign Trust Network, O = VeriSign, Inc." password="tomcat"
roles="tomcat"/>
</tomcat-users>
FXE\WEB-INF\web.xml
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<display-name>AServlet</display-name>
<servlet>
<servlet-name>TheServlet</servlet-name>
<servlet-class>com.rbsfm.fxe.TheServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TheServlet</servlet-name>
<url-pattern>/TheServlet</url-pattern>
</servlet-mapping>
<security-constraint>
<display-name>Role based security constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected
Area</web-resource-name>
<url-pattern>/TheServlet</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<role-name>tomcat</role-name>
</security-role>
</web-app>
Jon-Paul Stanford
eCommerce Development - Financial Markets
The Royal Bank of Scotland
135 Bishopsgate
London
EC2M 3UR
Tel: 020 7375 5360
********************************************************************
Visit our Internet site at http://www.rbsmarkets.com
This e-mail is intended only for the addressee named above.
As this e-mail may contain confidential or privileged information,
if you are not the named addressee, you are not authorised to
retain, read, copy or disseminate this message or any part of it.
********************************************************************
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>