You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Markus Linnemann <ma...@informatik.fh-gelsenkirchen.de> on 2005/04/27 15:36:40 UTC
client authentication don´t work
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I try to authentificate to a web App by Client.Cert.
I get these error message:
"HTTP Status 401 - Cannot authenticate with the provided credentials"
Here are my settings:
web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>certLogin.jsp</web-resource-name>
<url-pattern>/idp/certLogin.jsp</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>SourceIDuser</role-name>>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>SourceID</realm-name>
</login-config>
<security-role>
<description><![CDATA[SourceID Authenticated User]]></description>
<role-name>SourceIDuser</role-name>
</security-role>
tomcat.users:
<tomcat-users>
<role rolename="SourceIDuser"/>
<user
username="E=markus.linnemann@informatik.fh-gelsenkirchen.de"
password="null" roles="SourceIDuser"/>
<user username="markus" password="test" roles="SourceIDuser"/>
</tomcat-users>
It works fine with Basic authentication!
And it works fine with only set clientAuth="true".
But I only want to secure a part of my WebApp,
so clientAuth="true" is not helpful.
Any help would be greatly appreciated.
Markus
- --
Markus Linnemann
ifis - Institut für Internet-Sicherheit, FH Gelsenkirchen
Tel.: 0209 9596 797
www.internet-sicherheit.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCb5VohyPbXYfivmMRAurbAJ9SQAqlK+3SXqsYaIx9NsSBjcR6xACcCs+L
rg0SJ+M1jyRtex9YDP9DBIM=
=5CuL
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: client authentication don´t work
Posted by Mark Thomas <ma...@apache.org>.
Your user entry in tomcat-users.xml needs to look something like this:
<user username="CN=Mark Thomas, OU=Jakarta, O=Apache, L=London, C=GB"
password="null" roles="tomcat,certs"/>
Basically, the user name needs to be the CN on the user's cert.
Mark
Markus Linnemann wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> I try to authentificate to a web App by Client.Cert.
> I get these error message:
> "HTTP Status 401 - Cannot authenticate with the provided credentials"
>
> Here are my settings:
>
> web.xml:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>certLogin.jsp</web-resource-name>
> <url-pattern>/idp/certLogin.jsp</url-pattern>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>SourceIDuser</role-name>>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> <realm-name>SourceID</realm-name>
> </login-config>
>
> <security-role>
> <description><![CDATA[SourceID Authenticated User]]></description>
> <role-name>SourceIDuser</role-name>
> </security-role>
>
> tomcat.users:
>
> <tomcat-users>
> <role rolename="SourceIDuser"/>
> <user
> username="E=markus.linnemann@informatik.fh-gelsenkirchen.de"
> password="null" roles="SourceIDuser"/>
>
> <user username="markus" password="test" roles="SourceIDuser"/>
>
> </tomcat-users>
>
> It works fine with Basic authentication!
> And it works fine with only set clientAuth="true".
>
> But I only want to secure a part of my WebApp,
> so clientAuth="true" is not helpful.
>
> Any help would be greatly appreciated.
> Markus
>
>
> - --
> Markus Linnemann
> ifis - Institut für Internet-Sicherheit, FH Gelsenkirchen
> Tel.: 0209 9596 797
> www.internet-sicherheit.de
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFCb5VohyPbXYfivmMRAurbAJ9SQAqlK+3SXqsYaIx9NsSBjcR6xACcCs+L
> rg0SJ+M1jyRtex9YDP9DBIM=
> =5CuL
> -----END PGP SIGNATURE-----
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org