You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Markus <ax...@googlemail.com> on 2006/02/01 15:22:03 UTC
Re: Tomcat and client certificates
Setting clientAuth to true / false in the Connector configuration
works fine, but how do I configure client authenticaton on a
per-directory or even per-servlet basis?
This is my current configuration:
In server.xml:
<Connector port="8443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="\...\keystore.jks" keystorePass="wonttell"
truststoreFile="\...\truststore.jks" truststorePass="wonttell"
/>
In web.xml:
<security-constraint>
<web-resource-collection>
<url-pattern>/html/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
<user-data-constraint/>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
And here are the results I get:
https://domain/anypage : OK
https://domain/html/anypage : HTTP Status 403 - Access to the
requested resource has been denied
The logfile says:
01.02.2006 15:19:57 org.apache.coyote.http11.Http11Processor action
WARNING: Exception getting SSL Cert
java.net.SocketException: Socket Closed
What's wrong with my configuration?
Markus
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat and client certificates
Posted by Mark Thomas <ma...@apache.org>.
Markus wrote:
> Ok, I just submitted the bugs #38553 and #38555 for both issues. If
> you need more information, please let me know via bugzilla.
5.5.x CLIENT-CERT shoudl work with all realms. 5.0.x - don't hold your
breath.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat and client certificates
Posted by Markus <ax...@googlemail.com>.
Ok, I just submitted the bugs #38553 and #38555 for both issues. If
you need more information, please let me know via bugzilla.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat and client certificates
Posted by Mark Thomas <ma...@apache.org>.
Markus wrote:
> Mark:
> Thank you for your link to the archive. It was my fault using the
> UserDatabase realm
> instead of the MemoryRealm. I'm, using tomcat 5.0.28 - is it still the
> case in 5.5.x
> that you MUST use the MemoryRealm for clientcert authentication?
All realms should work with CLIENT-CERT. If they don't file a bug
report and I'll look into it.
> 3) When there is NO client certificate I get:
>
> HTTP Status 400 - No client certificate chain in this request
>
> 400 usually stands for a bad request or bad syntax. I believe in this case 401
> should be the appropriate reply.
Hmm. I guess this could be debatable.
> Is there any way to adjust the HTTP Status code for failed client-cert
> authentication?
No configuration option. I suspect it would require code changes.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat and client certificates
Posted by Markus <ax...@googlemail.com>.
Mark:
Thank you for your link to the archive. It was my fault using the
UserDatabase realm
instead of the MemoryRealm. I'm, using tomcat 5.0.28 - is it still the
case in 5.5.x
that you MUST use the MemoryRealm for clientcert authentication?
Anyway, there is still an issue when trying to access a restricted url
without the proper
certificate:
1) When there is the RIGHT client certificate in the browser keystore:
it works :-)
2) When there is the WRONG client certificate I get:
HTTP Status 401 - Cannot authenticate with the provided credentials
(this is ok, too)
3) When there is NO client certificate I get:
HTTP Status 400 - No client certificate chain in this request
400 usually stands for a bad request or bad syntax. I believe in this case 401
should be the appropriate reply.
Is there any way to adjust the HTTP Status code for failed client-cert
authentication?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat and client certificates
Posted by David Delbecq <de...@oma.be>.
Markus a écrit :
>Ok, when I set clientAuth to "want" the "Exception getting SSL Cert"
>goes away. (Wtf is this documented?).
>
Yes it is documented:
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
Section 'Edit the Tomcat Configuration File'
> But I still get the 403 - Access
>denied error.
>
>
This mean client didn't send a certificate or certificate was not recognized
>Here is how I added the users certificate to my realm:
>
>web.xml:
>
> <security-constraint>
> <web-resource-collection>
> <url-pattern>/html/*</url-pattern>
> <http-method>POST</http-method>
> <http-method>GET</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>myrole</role-name>>
> </auth-constraint>
> <user-data-constraint/>
> </security-constraint>
>
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> </login-config>
>
> <security-role>
> <role-name>myrole</role-name>
> </security-role>
>
>tomcat-users.xml:
>
><tomcat-users>
> <role rolename="myrole"/>
> <user username="EMAILADDRESS=mark... , CN=markus...., OU=..., O=...
>, L=...., ST=... C=..." password="" roles="myrole"/>
></tomcat-users>
>
>As username I used exactly the cert.getSubjectDN().getName() String
>from the client certificate.
>
>
>Is this ok?
>
>
Did you escape the quote character of subject line using " ?
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat and client certificates
Posted by Mark Thomas <ma...@apache.org>.
Markus wrote:
> Ok, when I set clientAuth to "want" the "Exception getting SSL Cert"
> goes away. (Wtf is this documented?). But I still get the 403 - Access
> denied error.
If you specify a user-data-constraint, you don't need to specify
clientAuth in the connector.
> As username I used exactly the cert.getSubjectDN().getName() String
> from the client certificate.
>
> Is this ok?
Should be fine. This thread might help too:
http://marc.theaimsgroup.com/?l=tomcat-user&m=107963922404774&w=2
Do you get prompted by your browser for a certificate?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat and client certificates
Posted by Markus <ax...@googlemail.com>.
Ok, when I set clientAuth to "want" the "Exception getting SSL Cert"
goes away. (Wtf is this documented?). But I still get the 403 - Access
denied error.
Here is how I added the users certificate to my realm:
web.xml:
<security-constraint>
<web-resource-collection>
<url-pattern>/html/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>myrole</role-name>>
</auth-constraint>
<user-data-constraint/>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<role-name>myrole</role-name>
</security-role>
tomcat-users.xml:
<tomcat-users>
<role rolename="myrole"/>
<user username="EMAILADDRESS=mark... , CN=markus...., OU=..., O=...
, L=...., ST=... C=..." password="" roles="myrole"/>
</tomcat-users>
As username I used exactly the cert.getSubjectDN().getName() String
from the client certificate.
Is this ok?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat and client certificates
Posted by Mark Thomas <ma...@apache.org>.
Markus wrote:
> Setting clientAuth to true / false in the Connector configuration
> works fine, but how do I configure client authenticaton on a
> per-directory or even per-servlet basis?
<snip/>
> And here are the results I get:
>
> https://domain/anypage : OK
> https://domain/html/anypage : HTTP Status 403 - Access to the
> requested resource has been denied
Have you added the user's certificate to your realm?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org