never mind. i answered my own question. i didn't have a Realm from which i
could authenticate a principal based on certs.
what i'm trying to do is force client auth for a given uri pattern but not
have to use the servlet spec's notion of roles, principals, etc.. i'm
attempting to get the same functionality the SSLVerifyClient directive gets
you with mod_ssl + apache. it appears that i can't really do this in a
portable way -- i'll have to use a valve or something.
-kevin.
>
> when i attempt to use CLIENT-CERT auth with the tomcat 4
> manager webapp,
> tomcat appears to still be looking for basic auth credentials.
>
> for example, if i change web.xml in the manager webapp to
> look like this:
>
> --- snip ---
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Entire Application</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <!-- NOTE: This role is not present in the default
> users file -->
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> </login-config>
> --- end snip ---
>
> and configure an ssl connector along with my keystore, then
> try to access
> the manager app from a client, i get a 401:
>
> HTTP/1.1 401 Cannot authenticate with the provided credentials
> Content-Type: text/html
> Date: Thu, 23 Aug 2001 20:46:21 GMT
> Server: Apache Tomcat/4.0-b8-dev (HTTP/1.1 Connector)
> Connection: close
> Connection: close
>
> <html>
> <head>
> <title>Tomcat Error Report</title>
> <br><br>
> <h1>HTTP Status
> 401 - Cannot authenticate with the provided credentials</h1>
> </body>
> </html>
>
> two message appear to show up in the log when i send the request:
>
> 2001-08-23 16:09:14 CertificatesValve[/manager]: verify:
> SSLPeerUnverifiedException
> 2001-08-23 16:09:15 CertificatesValve[/manager]: expose:
> Exposing converted
> certificates
>
> which, from looking through CertificatesValve.java, seems to
> indicate that
> the client cert chain was properly verified.
>
> from reading the servlet spec, it seems that using
> CLIENT-CERT should not
> require me to do basic auth as well. did i read the spec
> wrong, or is this
> a tomcat 4 bug?
>
> thanks,
> -kevin.
>
