You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@geronimo.apache.org by Jochen Zink <jo...@nepatec.de> on 2007/02/07 15:47:24 UTC
Authentication/Authorisation with client certificates
Hallo,
First: I'm using Geronimo 1.1.1 with tomcat
I tried to secure a WebApplication. Only Clients with trusted
certificates are able to connect.
So, I have defined a new https listener with a Keystore that contains
the server certificate and Private Key and a TrustStore with an trusted
certificate.
It is working pretty well. Only Clients with the correct Certificate can
connect.
Now, I will find out, with which certificate the current Client has
connected. With this information I want to authenticate the user.
A call of request.getUserPrincipal() or request.getRemoteuser() returns
null.
So I tried to configure a certificate security realm.
The realm seams to work. It is not possible to connect to the
Application, If I try to connect (over my own SSLlistener) with a not
trusted certificate. But If I try to connect with a trusted Certificate,
I become the exception you can see at the end of my post.
I don't know if I have to declare both thinks, a https listener with
client auth enabled and a certificate security realm. It seams to be
different thinks for me.
So, can anybody help me or knows a solution with which the problem can
be solved?
Thanks to everyone how has read my post.
14:12:52,546 WARN [TomcatGeronimoRealm] Login exception authenticating
username "CN=Jochen Zink,OU=Privat,O=ganz
Privat,L=Hannover,ST=Niedersachsen,C=DE"
javax.security.auth.login.LoginException: Error filling callback list
at
org.apache.geronimo.security.jaas.client.ServerLoginProxy.login(ServerLoginProxy.java:78)
at
org.apache.geronimo.security.jaas.client.JaasLoginCoordinator.performLogin(JaasLoginCoordinator.java:199)
at
org.apache.geronimo.security.jaas.client.JaasLoginCoordinator.login(JaasLoginCoordinator.java:120)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at
javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at
javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at
javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at
org.apache.geronimo.tomcat.realm.TomcatGeronimoRealm.authenticate(TomcatGeronimoRealm.java:320)
at
org.apache.geronimo.tomcat.realm.TomcatGeronimoRealm.authenticate(TomcatGeronimoRealm.java:279)
at
org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:148)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
at
org.apache.geronimo.tomcat.GeronimoStandardContext$SystemMethodValve.invoke(GeronimoStandardContext.java:342)
at
org.apache.geronimo.tomcat.valve.GeronimoBeforeAfterValve.invoke(GeronimoBeforeAfterValve.java:31)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:667)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.security.auth.callback.UnsupportedCallbackException
at
org.apache.geronimo.security.realm.providers.CertificateChainCallbackHandler.handle(CertificateChainCallbackHandler.java:49)
at
javax.security.auth.login.LoginContext$SecureCallbackHandler$1.run(LoginContext.java:955)
at java.security.AccessController.doPrivileged(Native Method)
at
javax.security.auth.login.LoginContext$SecureCallbackHandler.handle(LoginContext.java:951)
at
org.apache.geronimo.security.jaas.client.ServerLoginProxy.login(ServerLoginProxy.java:70)
... 29 more
Re: Authentication/Authorisation with client certificates
Posted by Jochen Zink <jo...@nepatec.de>.
Hi Vamsi,
thanks for your answer.
Don't laugh, but I have developed my Application with the help of the
aricle you sent to me ;).
But there is still one problem. I can not download the samples.zip File
from the page (FileNotFound). Is there another location where I can
download the file? Maybe I can solve my problem with a working example
and find my bug.
Thanks a lot!
Am Mi 07.02.2007 16:14 schrieb Vamsavardhana Reddy
<c1...@gmail.com>:
> Hi Jochen,
>
> Have a look at the article at URL
>
> http://www-128.ibm.com/developerworks/websphere/library/techarticles/0606_chillakuru/0606_chillakuru.html
>
> Though this article was written for WAS CE 1.0.1.1 (equivalent to G
> 1.0 to
> some extent :o), it may have answers to some of your questions. I have
> verified sometime ago that the scenarios in the sample applications
> work
> fine with G 1.1.1.
>
> Vamsi
>
> On 2/7/07, Jochen Zink <jo...@nepatec.de> wrote:
> >
> > Hallo,
> >
> > First: I'm using Geronimo 1.1.1 with tomcat
> >
> > I tried to secure a WebApplication. Only Clients with trusted
> > certificates are able to connect.
> >
> > So, I have defined a new https listener with a Keystore that
> > contains
> > the server certificate and Private Key and a TrustStore with an
> > trusted
> > certificate.
> >
> > It is working pretty well. Only Clients with the correct Certificate
> > can
> > connect.
> >
> > Now, I will find out, with which certificate the current Client has
> > connected. With this information I want to authenticate the user.
> >
> > A call of request.getUserPrincipal() or request.getRemoteuser()
> > returns
> > null.
> >
> > So I tried to configure a certificate security realm.
> >
> > The realm seams to work. It is not possible to connect to the
> > Application, If I try to connect (over my own SSLlistener) with a
> > not
> > trusted certificate. But If I try to connect with a trusted
> > Certificate,
> > I become the exception you can see at the end of my post.
> >
> > I don't know if I have to declare both thinks, a https listener with
> > client auth enabled and a certificate security realm. It seams to be
> > different thinks for me.
> >
> > So, can anybody help me or knows a solution with which the problem
> > can
> > be solved?
> >
> > Thanks to everyone how has read my post.
> >
> >
> >
> > 14:12:52,546 WARN [TomcatGeronimoRealm] Login exception
> > authenticating
> > username "CN=Jochen Zink,OU=Privat,O=ganz
> > Privat,L=Hannover,ST=Niedersachsen,C=DE"
> > javax.security.auth.login.LoginException: Error filling callback
> > list
> > at
> > org.apache.geronimo.security.jaas.client.ServerLoginProxy.login(
> > ServerLoginProxy.java:78)
> > at
> >
> > org.apache.geronimo.security.jaas.client.JaasLoginCoordinator.performLogin
> > (JaasLoginCoordinator.java:199)
> > at
> > org.apache.geronimo.security.jaas.client.JaasLoginCoordinator.login(
> > JaasLoginCoordinator.java:120)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at
> >
> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java
> > :39)
> > at
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(
> > DelegatingMethodAccessorImpl.java:25)
> > at java.lang.reflect.Method.invoke(Method.java:585)
> > at
> > javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
> > at
> >
> > javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
> > at
> > javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
> > at java.security.AccessController.doPrivileged(Native Method)
> > at
> >
> > javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
> > at
> > javax.security.auth.login.LoginContext.login(LoginContext.java:579)
> > at
> > org.apache.geronimo.tomcat.realm.TomcatGeronimoRealm.authenticate(
> > TomcatGeronimoRealm.java:320)
> > at
> > org.apache.geronimo.tomcat.realm.TomcatGeronimoRealm.authenticate(
> > TomcatGeronimoRealm.java:279)
> > at
> > org.apache.catalina.authenticator.SSLAuthenticator.authenticate(
> > SSLAuthenticator.java:148)
> > at
> > org.apache.catalina.authenticator.AuthenticatorBase.invoke(
> > AuthenticatorBase.java:490)
> > at
> >
> >
> > org.apache.geronimo.tomcat.GeronimoStandardContext$SystemMethodValve.invoke
> > (GeronimoStandardContext.java:342)
> > at
> > org.apache.geronimo.tomcat.valve.GeronimoBeforeAfterValve.invoke(
> > GeronimoBeforeAfterValve.java:31)
> > at
> >
> > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
> > :126)
> > at
> >
> > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
> > :105)
> > at
> > org.apache.catalina.core.StandardEngineValve.invoke(
> > StandardEngineValve.java:107)
> > at
> >
> > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541)
> > at
> >
> > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java
> > :148)
> > at
> >
> > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
> > at
> >
> >
> > org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection
> > (Http11BaseProtocol.java:667)
> > at
> > org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(
> > PoolTcpEndpoint.java:527)
> > at
> > org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(
> > LeaderFollowerWorkerThread.java:80)
> > at
> > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(
> > ThreadPool.java:684)
> > at java.lang.Thread.run(Thread.java:595)
> > Caused by: javax.security.auth.callback.UnsupportedCallbackException
> > at
> >
> >
> > org.apache.geronimo.security.realm.providers.CertificateChainCallbackHandler.handle
> > (CertificateChainCallbackHandler.java:49)
> > at
> > javax.security.auth.login.LoginContext$SecureCallbackHandler$1.run(
> > LoginContext.java:955)
> > at java.security.AccessController.doPrivileged(Native Method)
> > at
> > javax.security.auth.login.LoginContext$SecureCallbackHandler.handle(
> > LoginContext.java:951)
> > at
> > org.apache.geronimo.security.jaas.client.ServerLoginProxy.login(
> > ServerLoginProxy.java:70)
> > ... 29 more
> >
> >
Beste Grüße/Best regards
Jochen Zink
________________________________________________________
Jochen Zink
nepatec GmbH & Co. KG
Hindenburgstr. 37
30175 Hannover
Fon: 0511/935.946.51
Fax: 0511/935.946.57
Mail: jochen.zink@nepatec.de
nepatec GmbH & Co. KG
Sitz Hannover . Amtsgericht Hannover . HRA 200338
Persönlich haftende Gesellschafterin:
Nepatec Verwaltungs-GmbH . Amtsgericht Hannover
HRB 200954 . Geschäftsführer: Claudius Grieser .
Burkhard Gerlts . Jörg Neumann . Frank Nitze
Re: Authentication/Authorisation with client certificates
Posted by Vamsavardhana Reddy <c1...@gmail.com>.
Hi Jochen,
Have a look at the article at URL
http://www-128.ibm.com/developerworks/websphere/library/techarticles/0606_chillakuru/0606_chillakuru.html
Though this article was written for WAS CE 1.0.1.1 (equivalent to G 1.0 to
some extent :o), it may have answers to some of your questions. I have
verified sometime ago that the scenarios in the sample applications work
fine with G 1.1.1.
Vamsi
On 2/7/07, Jochen Zink <jo...@nepatec.de> wrote:
>
> Hallo,
>
> First: I'm using Geronimo 1.1.1 with tomcat
>
> I tried to secure a WebApplication. Only Clients with trusted
> certificates are able to connect.
>
> So, I have defined a new https listener with a Keystore that contains
> the server certificate and Private Key and a TrustStore with an trusted
> certificate.
>
> It is working pretty well. Only Clients with the correct Certificate can
> connect.
>
> Now, I will find out, with which certificate the current Client has
> connected. With this information I want to authenticate the user.
>
> A call of request.getUserPrincipal() or request.getRemoteuser() returns
> null.
>
> So I tried to configure a certificate security realm.
>
> The realm seams to work. It is not possible to connect to the
> Application, If I try to connect (over my own SSLlistener) with a not
> trusted certificate. But If I try to connect with a trusted Certificate,
> I become the exception you can see at the end of my post.
>
> I don't know if I have to declare both thinks, a https listener with
> client auth enabled and a certificate security realm. It seams to be
> different thinks for me.
>
> So, can anybody help me or knows a solution with which the problem can
> be solved?
>
> Thanks to everyone how has read my post.
>
>
>
> 14:12:52,546 WARN [TomcatGeronimoRealm] Login exception authenticating
> username "CN=Jochen Zink,OU=Privat,O=ganz
> Privat,L=Hannover,ST=Niedersachsen,C=DE"
> javax.security.auth.login.LoginException: Error filling callback list
> at
> org.apache.geronimo.security.jaas.client.ServerLoginProxy.login(
> ServerLoginProxy.java:78)
> at
> org.apache.geronimo.security.jaas.client.JaasLoginCoordinator.performLogin
> (JaasLoginCoordinator.java:199)
> at
> org.apache.geronimo.security.jaas.client.JaasLoginCoordinator.login(
> JaasLoginCoordinator.java:120)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java
> :39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at
> javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
> at
> javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
> at
> javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
> at java.security.AccessController.doPrivileged(Native Method)
> at
> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
> at
> javax.security.auth.login.LoginContext.login(LoginContext.java:579)
> at
> org.apache.geronimo.tomcat.realm.TomcatGeronimoRealm.authenticate(
> TomcatGeronimoRealm.java:320)
> at
> org.apache.geronimo.tomcat.realm.TomcatGeronimoRealm.authenticate(
> TomcatGeronimoRealm.java:279)
> at
> org.apache.catalina.authenticator.SSLAuthenticator.authenticate(
> SSLAuthenticator.java:148)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(
> AuthenticatorBase.java:490)
> at
>
> org.apache.geronimo.tomcat.GeronimoStandardContext$SystemMethodValve.invoke
> (GeronimoStandardContext.java:342)
> at
> org.apache.geronimo.tomcat.valve.GeronimoBeforeAfterValve.invoke(
> GeronimoBeforeAfterValve.java:31)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
> :126)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
> :105)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(
> StandardEngineValve.java:107)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java
> :148)
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
> at
>
> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection
> (Http11BaseProtocol.java:667)
> at
> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(
> PoolTcpEndpoint.java:527)
> at
> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(
> LeaderFollowerWorkerThread.java:80)
> at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(
> ThreadPool.java:684)
> at java.lang.Thread.run(Thread.java:595)
> Caused by: javax.security.auth.callback.UnsupportedCallbackException
> at
>
> org.apache.geronimo.security.realm.providers.CertificateChainCallbackHandler.handle
> (CertificateChainCallbackHandler.java:49)
> at
> javax.security.auth.login.LoginContext$SecureCallbackHandler$1.run(
> LoginContext.java:955)
> at java.security.AccessController.doPrivileged(Native Method)
> at
> javax.security.auth.login.LoginContext$SecureCallbackHandler.handle(
> LoginContext.java:951)
> at
> org.apache.geronimo.security.jaas.client.ServerLoginProxy.login(
> ServerLoginProxy.java:70)
> ... 29 more
>
>