You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Peter Armstrong <Pe...@ibiomatics.com> on 2002/05/04 05:25:48 UTC
Does CLIENT-CERT work?
alright, i've spent most of the day on this - i'm running tomcat 4..0.3
with a JNDIRealm and i CANNOT get CLIENT-CERT authentication to work.
- i have a client cert installed in IE
- web.xml is set to CLIENT-CERT
- IE is including the cert chain in the request
- Tomcat validates the cert chain
- I always get 'Cannot authenticate with the provided credentials'
i dove into the source code only to realize the
JNDIRealm.getPrincipal(String username) always returns null. JDBCRealm
is the same - sorry, but i must be missing something - how can
client-cert authentication work if the cert is never authenticated
against the realm? any info would be greatly appreciated. code path is
shown below:
SSLAuthenticator ----
public boolean authenticate(HttpRequest request,
HttpResponse response,
LoginConfig config)
...
// Authenticate the specified certificate chain
principal = context.getRealm().authenticate(certs);
if (principal == null) {
if (debug >= 1)
log(" Realm.authenticate() returned false");
hres.sendError(HttpServletResponse.SC_UNAUTHORIZED,
sm.getString("authenticator.unauthorized"));
return (false);
}
RealmBase ---- (this method does not exist on JNDIRealm)
public Principal authenticate(X509Certificate certs[]) {
...
// Check the existence of the client Principal in our database
return (getPrincipal(certs[0].getSubjectDN().getName()));
}
JNDIRealm ---- (abstract on RealmBase)
protected Principal getPrincipal(String username) {
return (null);
}
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>