I think I have clearly describe my problem but It's certainly because of my poor english ....
Craig I have set up a user name's "OID.0.9.2342.19200300.100.1.1=mvittel, CN=michel vittel, O=frec.bull.fr" in my $CATALINA_HOME/conf/tomcat-user file.
That doesn't work better !
That I want to say it's when I put trace on code (in SSLAuthenticator class) I don't see
the association username = certs[0].getSubjectDN().getName() and the MemoryRealm....
Jérôme
| "Craig R. McClanahan" <[EMAIL PROTECTED]>
12/01/2001 17:59
|
Pour : [EMAIL PROTECTED] cc : Objet : Re: possible problem with CLIENT-CERT login and security constraint on TOMCAT 4.0 |
[EMAIL PROTECTED] wrote:
Hi,
I try to configure TOMCAT server to authenticate client with certificate on HTTPS protocol.
My connector is configure to accept request on 8443 port like this :
<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="8443" minProcessors="5" maxProcessors="75"
acceptCount="10" debug="0" scheme="https" secure="true">
<Factory className="org.apache.catalina.net.SSLServerSocketFactory"
clientAuth="true" protocol="TLS" keystorePass="password1"/>
</Connector>
My tomcat-user.xml file is configured with a new entry that match the getSubjectDN().getName() of client certificat used :
<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
<user name="role1" password="tomcat" roles="role1" />
<user name="both" password="tomcat" roles="tomcat,role1" />
<user name="OID.0.9.2342.19200300.100.1.1=mvittel, CN=michel vittel, O=frec.bull.fr" password="tomcat" roles="tomcat,role1" />
</tomcat-users>
I also uncomment the security constraint on my web.xml file like this
<security-constraint>
<web-resource-collection>
<web-resource-name>The Entire Web Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Tomcat Supported Realm</realm-name>
</login-config>
<security-role>
<description>
An example role defined in "conf/tomcat-users.xml"
</description>
<role-name>tomcat</role-name>
</security-role>
My problem is when I try to connect on my tomcat serveur I have always the same message :
HTTP Error 403 - Forbidden
Possibly reasons :
I try to compare BASIC authenticator and CLIENT-CERT authenticator.
* BasicAuthenticator class register an MemoryRealmPrincipal object return by the MemoryRealm class
* SSLAuthenticator class register an Principal object with is simply return by certs[0].getSubjectDN() method (and has no role associated)
When I modified a little bit the SSLAuthenticator class to find on the MemoryRealm the MemoryRealmPrincipal
associated with the username = certs[0].getSubjectDN().getName() ( with no password) that seems run better...
Excuse me, if it's a know limitation, a bug already know or a bad settings ...
JérômeIn order to use CLIENT-CERT authentication, you *must* set up a user in whatever Realm is used for authentication, with a username equal to certs[0].getSubjectDN(). This is needed for the following reasons:
* To know that this is a valid user for *this* application,
(not just that the certificate is valid)
* To know what roles are assigned to this user for
*this* application.
If you are using the default Realm implementation, this means you must add an entry to $CATALINA_HOME/conf/tomcat-users.xml for this user.
Craig McClanahan
