Re: TLS 1.3 and post handshake authentication (PHA)

Thank you Mark for the clarification. Thanks, Amit From: Mark Thomas Sent: Friday, June 13, 2025 12:57 PM To: users@tomcat.apache.org Subject: Re: TLS 1.3 and post handshake authentication (PHA) On 13/06/2025 18:26, Amit Pande wrote: > Hello, > > W

Bugzilla now requires authentication

sable for the community, the ASF has - with regret - configured all ASF Bugzilla instances to require authentication in order to access them. If you need to search bugs, view a bug report, report a bug or otherwise interact with Bugzilla, you will need to login in first. If you don't h

Re: TLS 1.3 and post handshake authentication (PHA)

ina-exec-1] org.apache.tomcat.util.net.SSLUtilBase. The JSSE TLS 1.3 implementation does not support post handshake authentication (PHA) and is therefore incompatible with optional certificate authentication Looking at : https://www.rfc-editor.org/rfc/rfc8740.html Seems like the TLS1.3 does not support P

TLS 1.3 and post handshake authentication (PHA)

. The JSSE TLS 1.3 implementation does not support post handshake authentication (PHA) and is therefore incompatible with optional certificate authentication Looking at : https://www.rfc-editor.org/rfc/rfc8740.html Seems like the TLS1.3 does not support PHA only in case of HTTP/2 and not for HT

TLS 1.3 and post handshake authentication (PHA)

. The JSSE TLS 1.3 implementation does not support post handshake authentication (PHA) and is therefore incompatible with optional certificate authentication Looking at : https://www.rfc-editor.org/rfc/rfc8740.html Seems like the TLS1.3 does not support PHA only in case of HTTP/2 and not for HT

Re: Adding a CRL to certificate client authentication causes connector to stop responding to all requests having a client certificate.

gt;    subject=CN = localhost >>> >>> >>> >>>    issuer=CN = localhost >>> >>> >>> >>>    --- >>> >>>    No client certificate CA names sent >>

Re: Adding a CRL to certificate client authentication causes connector to stop responding to all requests having a client certificate.

Christopher Schultz <mailto:mailto:ch...@christopherschultz.net> wrote --- Alex, On 5/9/25 2:11 PM, My Subs wrote: I have tested on Tomcat 10.1.40 with Native Library 1.3.1 running on JDK 21.0.7+6. The result is exactly the same as described before. The connector below works well with client aut

Re: Adding a CRL to certificate client authentication causes connector to stop responding to all requests having a client certificate.

this is my current : >> >> >> >>     > >>     protocol="HTTP/1.1" >> >>     port="8443" >> >>     SSLEnabled="true" >> >>     max

Re: Adding a CRL to certificate client authentication causes connector to stop responding to all requests having a client certificate.

25 13:46:35 -0500 Christopher Schultz <mailto:ch...@christopherschultz.net> wrote --- Alex, On 5/9/25 2:11 PM, My Subs wrote: I have tested on Tomcat 10.1.40 with Native Library 1.3.1 running on JDK 21.0.7+6. The result is exactly the same as described before. The connector below

Re: Adding a CRL to certificate client authentication causes connector to stop responding to all requests having a client certificate.

gt;     > > >     >     protocols="TLSv1.3" > >     certificateVerification="required" > >     caCertificatePath="tls/client/certs-ca" > >     certificateRevocationListPath="tls/client

Re: Adding a CRL to certificate client authentication causes connector to stop responding to all requests having a client certificate.

Native Library 1.3.1 running on JDK 21.0.7+6. The result is exactly the same as described before. The connector below works well with client authentication, until I add the caCertificatePath attribute. There are no error messages in the logs. Thanks for confirming that. It probably does not mat

Re: Adding a CRL to certificate client authentication causes connector to stop responding to all requests having a client certificate.

, 09 May 2025 13:46:35 -0500 Christopher Schultz wrote --- Alex, On 5/9/25 2:11 PM, My Subs wrote: > I have tested on Tomcat 10.1.40 with Native > Library 1.3.1 running on JDK 21.0.7+6. The result is exactly the > same as described before. The connector below works well with clie

Re: Adding a CRL to certificate client authentication causes connector to stop responding to all requests having a client certificate.

Alex, On 5/9/25 2:11 PM, My Subs wrote: I have tested on Tomcat 10.1.40 with Native Library 1.3.1 running on JDK 21.0.7+6. The result is exactly the same as described before. The connector below works well with client authentication, until I add the caCertificatePath attribute. There are no

Re: Adding a CRL to certificate client authentication causes connector to stop responding to all requests having a client certificate.

Hello Chuck, I have tested on Tomcat 10.1.40 with Native Library 1.3.1 running on JDK 21.0.7+6. The result is exactly the same as described before. The connector below works well with client authentication, until I add the caCertificatePath attribute. There are no error messages in the logs

Re: Adding a CRL to certificate client authentication causes connector to stop responding to all requests having a client certificate.

> On 2025 May 7, at 11:43, My Subs wrote: > > I'm setting up certificate client authentication on Tomcat 10.0.0 > running on Java 16+36. Before doing anything else, you need to upgrade. That version of Tomcat is over 4 years old, and no 10.0.x version is currently supp

Adding a CRL to certificate client authentication causes connector to stop responding to all requests having a client certificate.

Hello, I'm setting up certificate client authentication on Tomcat 10.0.0 running on Java 16+36. I'm having trouble getting it to work with a CRL. My SSL connector is: In my PKI setup (using OpenSSL), I have a root CA (cert: r

Re: Custom error page for invalid mutual authentication (TLS)

handshake but then refuse the user via HTTP. It's a lot more work, but it's definitely possible. -chris On 06.02.2025 18:59, Peter Rader wrote: Hi, I have a website that use mutual authentication for over 100 persons very successfull since years. Sometimes a client-certificate

Re: Custom error page for invalid mutual authentication (TLS)

n your app, if the client provided a valid certificate and redirect them to an error page if that is not the case. Source: https://stackoverflow.com/a/46488689/1180010 Sebastian On 06.02.2025 18:59, Peter Rader wrote: Hi, I have a website that use mutual authentication for over 100 perso

Custom error page for invalid mutual authentication (TLS)

Hi, I have a website that use mutual authentication for over 100 persons very successfull since years. Sometimes a client-certificate in the truststore of the server must be deactivated, maybe the person died or his/her device got pinched. As soon as the user access the website using a browser

[SECURITY] CVE-2024-52316 Apache Tomcat - Authentication Bypass

CVE-2024-52316 Apache Tomcat - Authentication Bypass Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M26 Apache Tomcat 10.1.0-M1 to 10.1.30 Apache Tomcat 9.0.0-M1 to 9.0.95 Description: If Tomcat was configured to use a custom Jakarta

Re: Regression in mutual authentication in 9.0.86+?

f the trust/key store has changes. 3. Perform a mutual client authentication using a client certificate signed by the CA used in step 1. Still a bit puzzled in such a case there was no SSL handshake failure at Tomcat level but request made it to application and failed (due to

RE: Regression in mutual authentication in 9.0.86+?

orm a mutual client authentication using a client certificate signed by the CA used in step 1. Still a bit puzzled in such a case there was no SSL handshake failure at Tomcat level but request made it to application and failed (due to empty javax.servlet.request.X509Certificate). One follow-up que

Re: What future plans are for Tomcat authentication

On 20/03/2024 06:22, Mircea Butmalai wrote: Questions are: 1. Is Jakarta Authentication specification going to replace the authentication part of Jakarta Servlet specification? Unlikely. 2. Are current authenticatiors from Tomcat (FORM, SPNEGO, SSL, HTTP DIGEST, HTTP BASIC, SSO

What future plans are for Tomcat authentication

Hello, I am asking this questions on Tomcat Users mail list in order to find answers about how users and developers of Tomcat see the topic I am discribing. In jakarta EE there is work for Jakarta Authentication (that reached 3.1 in development) formely JASPIC which Tomcat has implementation

Re: Regression in mutual authentication in 9.0.86+?

I've just tested 9.0.x and mutual TLS authentication appears to be working as expected. I suggest starting with testing a simple JSP that echoes that attribute and if you still see the issue, provide us with your configuration. Note that the issue may be related to the certs you are usi

Regression in mutual authentication in 9.0.86+?

Hello all, I have upgraded the Tomcat version from 9.0.85 to 9.0.86 (and tried with 9.0.87 too). Some of our tests which involve on mutual authentication ("certificateVerification = optional") have started to fail. In tests where the client does pass the certificate, I didn

Re: Need Help : Tomcat 9.0.75 not honoring session timeout configured in tomcat web.xml for FORM Authentication

Channa, On 10/27/23 00:07, Channa Puchakayala wrote: Tomcat Version : 9.0.75 Operating System: Windows and Linux Bits: 64 Tomcat 9.0.75 not honoring  session timeout configured in tomcat/conf/web.xml for FORM Authentication and it is effecting customers

Re: Need Help : Tomcat 9.0.75 not honoring session timeout configured in tomcat web.xml for FORM Authentication

2023 05:07:20 Channa Puchakayala : Hi All,   Tomcat Version : 9.0.75 Operating System: Windows and Linux Bits: 64      Tomcat 9.0.75 not honoring  session timeout configured in tomcat/conf/web.xml for FORM Authentication and it is effecting customers. ==     

Need Help : Tomcat 9.0.75 not honoring session timeout configured in tomcat web.xml for FORM Authentication

Hi All, Tomcat Version : 9.0.75 Operating System: Windows and Linux Bits: 64 Tomcat 9.0.75 not honoring session timeout configured in tomcat/conf/web.xml for FORM Authentication and it is effecting customers. == 30 // 30 minutes

[SECURITY] [CORRECTION] CVE-2023-41081 Apache Tomcat Connectors (mod_jk) Authentication Bypass

CVE-2023-41081 Apache Tomcat Connectors (mod_jk) Authentication Bypass Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat Connectors mod_jk Connector 1.2.0 to 1.2.48 Description: In some circumstances, such as when a configuration included "JkOp

[SECURITY] [CORRECTION] CVE-2023-41081 Apache Tomcat Connectors (mod_jk) Authentication Bypass

CVE-2023-41081 Apache Tomcat Connectors (mod_jk) Authentication Bypass Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat Connectors mod_jk Connector 1.2.0 to 1.2.48 Description: In some circumstances, such as when a configuration included "JkOp

Re: How to setup client certificate based authentication in Tomcat 9

ere. We want to apply client certificate authentication only for one of the process that only Application B will invoke using the above URL. This ^^^ is the important part. Are you using a reverse-proxy, or are clients connecting directly to Tomcat? Thus, we are looking at: - 1) Applying cli

RE: How to setup client certificate based authentication in Tomcat 9

re are several custom processes deployed and multiple clients invoke multiple processes available with Camunda,... hence the is the dynamic part here. We want to apply client certificate authentication only for one of the process that only Application B will invoke using the above URL. Thus,

Re: How to setup client certificate based authentication in Tomcat 9

Parkar, On 4/26/23 10:34, Patkar Omkar Anant wrote: I am a bit newbie to this domain of client certificate-based authentication. We have two applications … A(server) and B(client). Web application A runs on Apache Tomcat 9.0.52. (it’s a REST API based application). Application B invokes the

How to setup client certificate based authentication in Tomcat 9

Hi, I am a bit newbie to this domain of client certificate-based authentication. We have two applications … A(server) and B(client). Web application A runs on Apache Tomcat 9.0.52. (it’s a REST API based application). Application B invokes the rest api of application A. Now we want to

Re: Tomcat client certicate authentication

3 04:21, Dave Breeze wrote: Thanks Chris the application is requesting certificate authentication - and this is working - it is just the mapping of users to roles that is not happening No, the server is requesting the certificate information; the application is not. From your original posting: On 1/28

AW: Tomcat client certicate authentication

Hello Dave, > -Ursprüngliche Nachricht- > Von: Dave Breeze > Gesendet: Mittwoch, 1. Februar 2023 12:17 > An: Tomcat Users List > Betreff: Re: Tomcat client certicate authentication > > Chris > thanks for your mail > Apologies for confusion. Yes I

Re: Tomcat client certicate authentication

reeze Linkedin:https://uk.linkedin.com/in/dabreeze On Mon, 30 Jan 2023 at 15:41, Christopher Schultz < ch...@christopherschultz.net> wrote: > Dave, > > On 1/30/23 04:21, Dave Breeze wrote: > > Thanks Chris > > the application is requesting certificate authentication - and

Re: Tomcat client certicate authentication

Dave, On 1/30/23 04:21, Dave Breeze wrote: Thanks Chris the application is requesting certificate authentication - and this is working - it is just the mapping of users to roles that is not happening No, the server is requesting the certificate information; the application is not. From your

Re: Tomcat client certicate authentication

Thanks Chris the application is requesting certificate authentication - and this is working - it is just the mapping of users to roles that is not happening I implemented an org.apache.catalina.realm.X509UsernameRetriever and configured using X509UsernameRetrieverClassName but it was never

Re: Tomcat client certicate authentication

l. What am I missing here? If the application does not request authentication, Tomcat will not perform if on behalf of the application. If you want a Principal and to be able to check roles, etc. then you'll need to request CLIENT-CERT authenticat

Tomcat client certicate authentication

hi this is Tomcat 9.0 running embedded I am trying to authorize access by client certificate. I want the servlet response to be tailored to the user's role. In other words I am not looking to deny access by role. The connector has sslCon.setProperty("clientAuth", "required"); The context has a co

Re: Apache Tomcat 10.0.27 - UML sequence diagram of the authentication process

uence diagram of the authentication process Alexander, On 1/9/23 07:21, Alexander Ghyoot wrote: > For my thesis, I'm looking into access control in open-source software and am > curious how the authentication process works in the Apache Tomcat (10.0.27) > architecture. However, t

Re: Apache Tomcat 10.0.27 - UML sequence diagram of the authentication process

On 09/01/2023 18:43, Christopher Schultz wrote: Alexander, On 1/9/23 07:21, Alexander Ghyoot wrote: For my thesis, I'm looking into access control in open-source software and am curious how the authentication process works in the Apache Tomcat (10.0.27) architecture. However

Re: Apache Tomcat 10.0.27 - UML sequence diagram of the authentication process

Alexander, On 1/9/23 07:21, Alexander Ghyoot wrote: For my thesis, I'm looking into access control in open-source software and am curious how the authentication process works in the Apache Tomcat (10.0.27) architecture. However, the documentation on this seems incomplete. The PNG

Apache Tomcat 10.0.27 - UML sequence diagram of the authentication process

Dear, For my thesis, I'm looking into access control in open-source software and am curious how the authentication process works in the Apache Tomcat (10.0.27) architecture. However, the documentation on this seems incomplete. The PNG is a screenshot of the image, only half shown, the li

Re: Secondary Authentication method for application

Tim, On 7/12/22 10:09, Tim K wrote: Hello, I currently have a custom realm in Tomcat 9 that uses form authentication (j_username/j_password POST to j_security_check). I'm looking to create a secondary way to establish an authenticated session. I want to allow trusted sources to be ab

Re: Secondary Authentication method for application

On Wed, Jul 13, 2022 at 10:21 AM EXT-Denton, Sam T wrote: > > This may help you: > https://stackoverflow.com/questions/15742580/how-to-programmatically-login-to-j-security-check > > Sam Denton > Advisor, Solutions Architect > Mobile (314) 827-4017 > 24x7 SBS Suppot (405) 312-9936 > Thanks for th

Secondary Authentication method for application

Hello, I currently have a custom realm in Tomcat 9 that uses form authentication (j_username/j_password POST to j_security_check). I'm looking to create a secondary way to establish an authenticated session. I want to allow trusted sources to be able to POST a username param to a specifi

Re: issue with Form based authentication

Mark, Rajendra, On 12/30/21 06:13, Mark Thomas wrote: This is an application design issue, not a Tomcat issue. FORM auth is not intended / designed to work in the following scenario: - user is not authenticated - multiple, concurrent requests are made for resources requiring   authentication

Re: issue with Form based authentication

This is an application design issue, not a Tomcat issue. FORM auth is not intended / designed to work in the following scenario: - user is not authenticated - multiple, concurrent requests are made for resources requiring authentication You need to design the application in such a way that

RE: issue with Form based authentication

: issue with Form based authentication Importance: High Hi Team, We are facing some weird issue with tomcat Form based authentication, I will try to explain the scenario as below: issue is reproducible in specific conditions, when browser cache is disabled, and cleared out before session timeout

issue with Form based authentication

Hi Team, We are facing some weird issue with tomcat Form based authentication, I will try to explain the scenario as below: issue is reproducible in specific conditions, when browser cache is disabled, and cleared out before session timeout. In this conditions after session timeout when user

Re: AW: JASPIC Provider for FORM based Authentication

Mark, On 12/3/21 05:29, Mark Thomas wrote: On 03/12/2021 10:00, Keil, Matthias (ORISA Software GmbH) wrote: Hi Mark, sorry for the late reply. Unfortunately I was sick. Thanks for your advice. The error was in front of the computer 😉. I had misspelled the context path in the appContext Now

Re: AW: JASPIC Provider for FORM based Authentication

Authentication On 22/11/2021 12:00, Keil, Matthias (ORISA Software GmbH) wrote: Hello everyone, I take up a topic of my own again. The point there was that I would like to accommodate both the configuration and the actual Server Auth module within the application. That worked well with your advice

AW: JASPIC Provider for FORM based Authentication

Gesendet: Montag, 22. November 2021 18:28 An: users@tomcat.apache.org Betreff: Re: JASPIC Provider for FORM based Authentication On 22/11/2021 12:00, Keil, Matthias (ORISA Software GmbH) wrote: > Hello everyone, > > I take up a topic of my own again. The point there was that I woul

AW: JASPIC Provider for FORM based Authentication

-Ursprüngliche Nachricht- Von: Mark Thomas Gesendet: Montag, 22. November 2021 18:28 An: users@tomcat.apache.org Betreff: Re: JASPIC Provider for FORM based Authentication On 22/11/2021 12:00, Keil, Matthias (ORISA Software GmbH) wrote: > Hello everyone, > > I take up a to

Re: Authentication with Browser stopped working / missing exception handling in getRemainingLifetime

On 24/11/2021 08:06, Mark Thomas wrote: On 23/11/2021 20:42, Michael B Allen wrote: On Tue, Nov 23, 2021 at 2:59 PM Thomas Hoffmann (Speed4Trade GmbH) wrote: Short Addendum: The "destroyed" flag gets set, when the dispose-method of the GSSCredentialImpl was invoked. Currently, I have no clu

AW: Authentication with Browser stopped working / missing exception handling in getRemainingLifetime

tings, Thomas -Ursprüngliche Nachricht- Von: Michael B Allen Gesendet: Dienstag, 23. November 2021 21:42 An: Tomcat Users List Betreff: Re: Authentication with Browser stopped working / missing exception handling in getRemainingLifetime On Tue, Nov 23, 2021 at 2:59 PM Thomas Hof

Re: Authentication with Browser stopped working / missing exception handling in getRemainingLifetime

On 23/11/2021 20:42, Michael B Allen wrote: On Tue, Nov 23, 2021 at 2:59 PM Thomas Hoffmann (Speed4Trade GmbH) wrote: Short Addendum: The "destroyed" flag gets set, when the dispose-method of the GSSCredentialImpl was invoked. Currently, I have no clue when and how it happens, but I have see

Re: Authentication with Browser stopped working / missing exception handling in getRemainingLifetime

On Tue, Nov 23, 2021 at 2:59 PM Thomas Hoffmann (Speed4Trade GmbH) wrote: > > Short Addendum: > > The "destroyed" flag gets set, when the dispose-method of the > GSSCredentialImpl was invoked. > Currently, I have no clue when and how it happens, but I have seen this > problem every few months. >

AW: Authentication with Browser stopped working / missing exception handling in getRemainingLifetime

021 20:51 An: Tomcat Users List Betreff: AW: Authentication with Browser stopped working / missing exception handling in getRemainingLifetime Hello Mike, I checked the last Java 17 Sources, the illegalStateException is still there: https://github.com/openjdk/jdk/blob/jdk-17%2B35/src/java.securit

AW: Authentication with Browser stopped working / missing exception handling in getRemainingLifetime

mpatibility to other tools if a checked exception is used. Btw: you are right, the authentication is done via Kerberos. For role assignment, LDAP is used in combination in our case. Thanks! Thomas -Ursprüngliche Nachricht- Von: Michael B Allen Gesendet: Dienstag, 23. November 2021 17:32 A

Re: Authentication with Browser stopped working / missing exception handling in getRemainingLifetime

On Mon, Nov 22, 2021 at 2:39 AM Thomas Hoffmann (Speed4Trade GmbH) wrote: > Would it be better to also catch IllegalStateException and instead of > checking left == 0 to change it to left <= 0 ? I would argue that this is a bug in JGSS. JGSS has been a comedy of errors over the years. I thought

AW: Authentication with Browser stopped working / missing exception handling in getRemainingLifetime

Hello Mark, thank you very much for your lightning speed fix and answer 😊 Have a nice day, Thomas -Ursprüngliche Nachricht- Von: Mark Thomas Gesendet: Montag, 22. November 2021 18:44 An: users@tomcat.apache.org Betreff: Re: Authentication with Browser stopped working / missing

Re: Authentication with Browser stopped working / missing exception handling in getRemainingLifetime

On 22/11/2021 07:38, Thomas Hoffmann (Speed4Trade GmbH) wrote: Hello, we are using apache-tomcat-9.0.54 with LDAP authentication under Windows 2012R2. One of the user complained that access with Firefox stopped working. Would it be better to also catch IllegalStateException and instead of

Re: JASPIC Provider for FORM based Authentication

provider in the jaspic-providers.xml file limits the JASPIC configuration to a single web application. 2. OR there is an AuthConfigProvider that could implement the FORM based authentication. Not that I am aware of. Mark - To

JASPIC Provider for FORM based Authentication

dynamically by implementing an AuthConfigProvider). Now here are my questions: 1. Is there a possibility to activate the JASPIC provider for only one of the two applications? 2. OR there is an AuthConfigProvider that could implement the FORM based authentication. thanks in advance Matthias

Authentication with Browser stopped working / missing exception handling in getRemainingLifetime

Hello, we are using apache-tomcat-9.0.54 with LDAP authentication under Windows 2012R2. One of the user complained that access with Firefox stopped working. Looking into the logs I could find the following message: java.lang.IllegalStateException: This credential is no longer

[SECURITY] CVE-2021-30640 Apache Tomcat JNDI realm authentication weakness

CVE-2021-30640 JNDI Realm Authentication Weakness Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.5 Apache Tomcat 9.0.0.M1 to 9.0.45 Apache Tomcat 8.5.0 to 8.5.65 Apache Tomcat 7.0.0 to 7.0.108 Description: Queries made by the JNDI Realm

Re: Questions about Integrated Windows Authentication

icate external users in a reverse proxy and have it pass the user ID to Tomcat rather than have Tomcat do the authentication. I read about that somewhere some months ago. However, I don't know how to get the authentication from the reverse proxy (my Tomcat already runs behind an Apache

Re: Questions about Integrated Windows Authentication

On 28/06/2021 10:36, Carsten Klein wrote: Hi there, I have two questions about Tomcat's Integrated Windows Authentication: Tomcat is stuck on version 7.0.52 on an outdated Ubuntu 14.04 LTS. Note that Tomcat 7 is no longer supported. 1. useDelegatedCredential = true I'm using

Questions about Integrated Windows Authentication

Hi there, I have two questions about Tomcat's Integrated Windows Authentication: Tomcat is stuck on version 7.0.52 on an outdated Ubuntu 14.04 LTS. 1. useDelegatedCredential = true I'm using JNDIRalm together with the SPNEGO authenticator. If the Realm's option 'useDel

Re: Can we get Digest Authentication with TOMCAT 7

March 2021. Currently we are using the BASIC Authentication for the Manager and tomcat web application. Can we migrate and use DIGEST Authentication for the same ? Yes. What are the suggested and recommended way to implement and using DIGEST Authentication with TOMCAT 7 web applications? Simply

Re: Can we get Digest Authentication with TOMCAT 7

using the BASIC Authentication for the Manager and tomcat > web application. > Can we migrate and use DIGEST Authentication for the same ? Yes. > What are the > suggested and recommended way to implement and using DIGEST Authentication > with TOMCAT 7 web applications? Simply replac

Can we get Digest Authentication with TOMCAT 7

Hi Tomcat Team, I am using a Tomcat based webserver container for our web application. All the deplyoment and other task taken care using TOMCAT 7.10.105. Currently we are using the BASIC Authentication for the Manager and tomcat web application. Can we migrate and use DIGEST Authentication for

Re: Tomcat JDBCRealm using DIGEST authentication not producing the expected HASH using a SALT

-a SHA-1 -s 0 > > SALTpassword* > > *SALTpassword:86a0e40af8c1a0e970f9432bee75bcc886145440* (the other > formats > > for using the SALT does not produce a matching HASH - > > UserName:Realm:Password) BUT we cannot authenticate when using the Tomcat > > authenticatio

Re: Tomcat JDBCRealm using DIGEST authentication not producing the expected HASH using a SALT

igest.bat -a SHA-1 -s 0 > SALTpassword* > *SALTpassword:86a0e40af8c1a0e970f9432bee75bcc886145440* (the other formats > for using the SALT does not produce a matching HASH - > UserName:Realm:Password) BUT we cannot authenticate when using the Tomcat > authentication form in the browser. The password hash i

Tomcat JDBCRealm using DIGEST authentication not producing the expected HASH using a SALT

uce a matching HASH - UserName:Realm:Password) BUT we cannot authenticate when using the Tomcat authentication form in the browser. The password hash is not matching. We cannot tell how the form is using the SALT to hash the password to see where the issue is. Can you tell us exactly how T

Re: Tomcat 7.x.x, 8.x.x, 8.5.x and 9.x.x: Session serialization w/o authentication related information

On 01/12/2019 23:04, Mark Thomas wrote: I'm with you. And likely our setup is special in a way. However, I've rarely seen that you have to re-enter credentials in a professional web application like Google or Facebook, for example. Yes. But if those apps were running on Tomcat I doubt that

Re: Tomcat 7.x.x, 8.x.x, 8.5.x and 9.x.x: Session serialization w/o authentication related information

On 29/11/2019 11:48, Klein, Carsten wrote: > However, we are developing Ajax-driven > B2B client applications, which terminate / end the session when they > detect loss of authentication. Technically, these apps periodically send > keep-alive messages to the server (in order to keep

Re: Tomcat 7.x.x, 8.x.x, 8.5.x and 9.x.x: Session serialization w/o authentication related information

On 28/11/2019 10:20, Mark Thomas wrote: On 28/11/2019 08:03, Klein, Carsten wrote: Hi there, Thanks for answering my questions. See my remarks inline: in all recent Tomcat versions the standard session implementation declares authentication related fields as 'transient', s

Re: Tomcat 7.x.x, 8.x.x, 8.5.x and 9.x.x: Session serialization w/o authentication related information

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Carsten, > in all recent Tomcat versions the standard session implementation > declares authentication related fields as 'transient', so both the > session's authType as well as it's authenticated Principal is no

Re: Tomcat 7.x.x, 8.x.x, 8.5.x and 9.x.x: Session serialization w/o authentication related information

On 28/11/2019 08:03, Klein, Carsten wrote: > Hi there, > > in all recent Tomcat versions the standard session implementation > declares authentication related fields as 'transient', so both the > session's authType as well as it's authenticated Principal

Tomcat 7.x.x, 8.x.x, 8.5.x and 9.x.x: Session serialization w/o authentication related information

Hi there, in all recent Tomcat versions the standard session implementation declares authentication related fields as 'transient', so both the session's authType as well as it's authenticated Principal is not saved and restored across restarts. On those fields the

Re: postgresql jndi datasource with certificate authentication?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Felix, On 10/26/19 16:37, Felix Schumacher wrote: > > Am 22.10.19 um 20:07 schrieb Magosányi Árpád: >> Thank you all for the suggestions. >> >> Based on the documentation, my setup should work: The server >> certificate is already processed and ac

Re: postgresql jndi datasource with certificate authentication?

Am 22.10.19 um 20:07 schrieb Magosányi Árpád: > Thank you all for the suggestions. > > Based on the documentation, my setup should work: The server certificate > is already processed and accepted (I know that because I could not get > it right at the first try). The driver is supposed to work wit

Re: postgresql jndi datasource with certificate authentication?

Thank you all for the suggestions. Based on the documentation, my setup should work: The server certificate is already processed and accepted (I know that because I could not get it right at the first try). The driver is supposed to work with a PEM certificate and a pkcs-8 DER encoded key, and tho

Re: postgresql jndi datasource with certificate authentication?

Arpad, On 10/22/19 12:19, logo wrote: I have the following in context.xml: url="jdbc:postgresql://infra.kodekonveyor.com:5432/users?ssl=true&sslmode=verify-ca" username="market" maxTotal="20" maxIdle="10" maxWaitMillis="-1"/> I have this in ~tomcat/.postgresq

Re: postgresql jndi datasource with certificate authentication?

king in mysql... Peter Am 2019-10-22 12:56, schrieb Magosányi Árpád: Hi! Anyone have a postgresql jndi datasource with certificate authentication working? I have the following in context.xml: url="jdbc:postgresql://infra.kodekonveyor.com:5432/users?ssl=true&a

Re: postgresql jndi datasource with certificate authentication?

ntCertificateKeyStorePassword=changeit"); Connection c = DriverManager.getConnection(sb.toString()); and convert the pem certificate to JKS/P12 ? I have this working in mysql... Peter Am 2019-10-22 12:56, schrieb Magosányi Árpád: Hi! Anyone have a postgresql jndi datasource with cer

Re: postgresql jndi datasource with certificate authentication?

sb.append("clientCertificateKeyStorePassword=changeit"); > >     Connection c = DriverManager.getConnection(sb.toString()); > > and convert the pem certificate to JKS/P12 ? I have this working in > mysql... > > Peter > > Am 2019-10-22 12:56, schrieb M

Re: postgresql jndi datasource with certificate authentication?

this working in mysql... Peter Am 2019-10-22 12:56, schrieb Magosányi Árpád: Hi! Anyone have a postgresql jndi datasource with certificate authentication working? I have the following in context.xml:     I have this in ~tomcat/.postgresql: root@market:/var/lib/tomcat9/.postgr

postgresql jndi datasource with certificate authentication?

Hi! Anyone have a postgresql jndi datasource with certificate authentication working? I have the following in context.xml:     I have this in ~tomcat/.postgresql: root@market:/var/lib/tomcat9/.postgresql# ls -lL total 11 -rw-r--r-- 1 root   root 4597 Oct 21 12:49 postgresql.crt -r

RE: Tomcat 7 HTTPS and LDAP authentication issue

The LDAPS authentication is handled by the application using an external file not in Tomcat or the application that contains the credentials for the generic Active Directory account accessing LDAP, the Java keystore location, and the FQDN and port of the LDAPS host. -John -Original

Re: Tomcat 7 HTTPS and LDAP authentication issue

SSLProtocol="all" /> > > How are you configuring TLS for LDAP? > > Do you mean inside Tomcat? Yes. Or is the authentication happening in httpd? Mark > > Thanks > -John > > -Original Message- > From: Mark Thomas > Sent: Tuesday, Octob

RE: Tomcat 7 HTTPS and LDAP authentication issue

authentication issue On 08/10/2019 18:55, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) wrote: > Hello, > > We have an application running on Tomcat 7.0.96. The application > handles authentication by accessing an internal LDAPS host by using > credenti

Re: Tomcat 7 HTTPS and LDAP authentication issue

On 08/10/2019 18:55, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) wrote: > Hello, > > We have an application running on Tomcat 7.0.96. The application handles > authentication by accessing an internal LDAPS host by using credentials, a > keystore,

Tomcat 7 HTTPS and LDAP authentication issue

Hello, We have an application running on Tomcat 7.0.96. The application handles authentication by accessing an internal LDAPS host by using credentials, a keystore, and the LDAPS hostname and port from an external file from the application and from Tomcat. This works with no issues, until I

Re: Tomcat Authentication + Spring Security J2EEPreAuthentication

Am 2019-05-20 um 21:35 schrieb Nacho Ganguli: My last attempt used Spring Security JEE pre-authentication filters. This works as I would like "provided" that I only use basic auth and tomcat's default realm (tomcat-users.xml). As soon as I introduce form-based auth, it does no

  1   2   3   4   5   6   7   8   9   10   >