You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by PAPIREDDY Poreddy <Po...@CBSINC.COM> on 2001/01/12 16:58:06 UTC

un subscribe me...................

 

-----Original Message-----
From: jerome.camilleri@bull.net [mailto:jerome.camilleri@bull.net]
Sent: Friday, January 12, 2001 9:20 PM
To: tomcat-dev@jakarta.apache.org
Subject: possible problem with CLIENT-CERT login and security constraint on
TOMCAT 4.0



Hi, 

I try to configure TOMCAT server to authenticate client with certificate on
HTTPS protocol. 

My connector is configure to accept request on 8443 port like this : 
    <Connector className="org.apache.catalina.connector.http.HttpConnector" 
               port="8443" minProcessors="5" maxProcessors="75" 
               acceptCount="10" debug="0" scheme="https" secure="true"> 
      <Factory className="org.apache.catalina.net.SSLServerSocketFactory" 
               clientAuth="true" protocol="TLS" keystorePass="password1"/> 
    </Connector> 

My tomcat-user.xml file is configured with a new entry that match the
getSubjectDN().getName() of client certificat used : 
<tomcat-users> 
  <user name="tomcat" password="tomcat" roles="tomcat" /> 
  <user name="role1"  password="tomcat" roles="role1"  /> 
  <user name="both"   password="tomcat" roles="tomcat,role1" /> 
  <user name="OID.0.9.2342.19200300.100.1.1=mvittel, CN=michel vittel,
O=frec.bull.fr" password="tomcat" roles="tomcat,role1" /> 
</tomcat-users> 

I also uncomment the security constraint on my web.xml file like this 
  <security-constraint> 
    <web-resource-collection> 
      <web-resource-name>The Entire Web Application</web-resource-name> 
      <url-pattern>/*</url-pattern> 
    </web-resource-collection> 
    <auth-constraint> 
      <role-name>tomcat</role-name> 
    </auth-constraint> 
  </security-constraint> 

  <login-config> 
    <auth-method>CLIENT-CERT</auth-method> 
    <realm-name>Tomcat Supported Realm</realm-name> 
  </login-config> 

  <security-role> 
    <description> 
      An example role defined in "conf/tomcat-users.xml" 
    </description> 
    <role-name>tomcat</role-name> 
  </security-role> 

My problem is when I try to connect on my tomcat serveur  I have always the
same message : 
HTTP Error 403 - Forbidden 

Possibly reasons : 
I try to compare BASIC authenticator  and CLIENT-CERT authenticator. 
    * BasicAuthenticator class register an MemoryRealmPrincipal object
return by the MemoryRealm class 
    * SSLAuthenticator class register an Principal object with  is simply
return by certs[0].getSubjectDN() method (and has no role associated) 

When I modified a little bit the SSLAuthenticator class to find on the
MemoryRealm the MemoryRealmPrincipal 
associated with the username = certs[0].getSubjectDN().getName()  ( with no
password) that seems run better... 

Excuse me, if it's a know limitation, a bug already know or a bad settings
... 


Jérôme