You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Markus Linnemann <ma...@informatik.fh-gelsenkirchen.de> on 2005/04/27 15:36:40 UTC

client authentication don´t work

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Hi,

I try to authentificate to a web App by Client.Cert.
I get these error message:
"HTTP Status 401 - Cannot authenticate with the provided credentials"

Here are my settings:

web.xml:
    <security-constraint>
            <web-resource-collection>
            <web-resource-name>certLogin.jsp</web-resource-name>
            <url-pattern>/idp/certLogin.jsp</url-pattern>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>SourceIDuser</role-name>>
        </auth-constraint>   
    </security-constraint>

    <login-config>
        <auth-method>CLIENT-CERT</auth-method>
        <realm-name>SourceID</realm-name>
    </login-config>

    <security-role>
        <description><![CDATA[SourceID Authenticated User]]></description>
        <role-name>SourceIDuser</role-name>
    </security-role>

tomcat.users:

<tomcat-users>
   <role rolename="SourceIDuser"/>
   <user
username="E=markus.linnemann@informatik.fh-gelsenkirchen.de"       
            password="null" roles="SourceIDuser"/>
            
  <user username="markus" password="test" roles="SourceIDuser"/>
 
</tomcat-users>

It works fine with Basic authentication!
And it works fine with only set clientAuth="true".

But I only want to secure a part of my WebApp,
so clientAuth="true" is not helpful.

Any help would be greatly appreciated.
Markus


- --
Markus Linnemann
ifis - Institut für Internet-Sicherheit, FH Gelsenkirchen
Tel.: 0209 9596 797
www.internet-sicherheit.de
 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
 
iD8DBQFCb5VohyPbXYfivmMRAurbAJ9SQAqlK+3SXqsYaIx9NsSBjcR6xACcCs+L
rg0SJ+M1jyRtex9YDP9DBIM=
=5CuL
-----END PGP SIGNATURE-----


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: client authentication don´t work

Posted by Mark Thomas <ma...@apache.org>.

Your user entry in tomcat-users.xml needs to look something like this:

   <user username="CN=Mark Thomas, OU=Jakarta, O=Apache, L=London, C=GB" 
password="null" roles="tomcat,certs"/>

Basically, the user name needs to be the CN on the user's cert.

Mark

Markus Linnemann wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>  
> Hi,
> 
> I try to authentificate to a web App by Client.Cert.
> I get these error message:
> "HTTP Status 401 - Cannot authenticate with the provided credentials"
> 
> Here are my settings:
> 
> web.xml:
>     <security-constraint>
>             <web-resource-collection>
>             <web-resource-name>certLogin.jsp</web-resource-name>
>             <url-pattern>/idp/certLogin.jsp</url-pattern>
>             <http-method>POST</http-method>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>SourceIDuser</role-name>>
>         </auth-constraint>   
>     </security-constraint>
> 
>     <login-config>
>         <auth-method>CLIENT-CERT</auth-method>
>         <realm-name>SourceID</realm-name>
>     </login-config>
> 
>     <security-role>
>         <description><![CDATA[SourceID Authenticated User]]></description>
>         <role-name>SourceIDuser</role-name>
>     </security-role>
> 
> tomcat.users:
> 
> <tomcat-users>
>    <role rolename="SourceIDuser"/>
>    <user
> username="E=markus.linnemann@informatik.fh-gelsenkirchen.de"       
>             password="null" roles="SourceIDuser"/>
>             
>   <user username="markus" password="test" roles="SourceIDuser"/>
>  
> </tomcat-users>
> 
> It works fine with Basic authentication!
> And it works fine with only set clientAuth="true".
> 
> But I only want to secure a part of my WebApp,
> so clientAuth="true" is not helpful.
> 
> Any help would be greatly appreciated.
> Markus
> 
> 
> - --
> Markus Linnemann
> ifis - Institut für Internet-Sicherheit, FH Gelsenkirchen
> Tel.: 0209 9596 797
> www.internet-sicherheit.de
>  
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>  
> iD8DBQFCb5VohyPbXYfivmMRAurbAJ9SQAqlK+3SXqsYaIx9NsSBjcR6xACcCs+L
> rg0SJ+M1jyRtex9YDP9DBIM=
> =5CuL
> -----END PGP SIGNATURE-----
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org