When you use CLIENT-CERT login plus a security constraint, what you are asking Catalina to do is look up the authenticated client in its Realm (by default, the MemoryRealm that reads from $CATALINA_HOME/conf/tomcat-users.xml), to (a) make sure that the client is present in the Realm, and (b) look up the associated roles to verify against the security constraint.
Hello,I try to use the auth-method of web.xml to CLIENT-CERT value like it's precise on web.dtd
So the fragment of web.xml file :
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/jsp/security/login/login.jsp</form-login-page>
<form-error-page>/jsp/security/login/error.jsp</form-error-page>
</form-login-config>
</login-config>When I try to access on a url-pattern who is protect by a <security-constraint> with https on port 8443,
I always have the same response on the catalina server :
You are not authorized to view this page
The "username" that is looked up is the value returned by calling getSubjectDN().getName() on the first certificate in the certificate chain -- in other words, the principal name of the client that was authenticated by this certificate.
If all you want to do is make sure the client has a valid certificate, you don't need to use a security constraint at all -- just set the "clientAuth" property on the Connector to true, and no requests will be accepted without a certificate. On the other hand, if you want to use security constraints in addition, you will need to define the user (and associated roles) in your Realm, just as you would for any other login method.
Craig McClanahan
Anybody know where do I find any information about this fonctionnality whas I bad used ?Best regards
Jérôme
