Client certificates not authenticated by realm

Mon, 01 Dec 2014 11:36:36 -0800 

Hello,
I am trying to set up client-certificate authentication for Tomcat 7.0.57. I have read the basics in the docs and I have my configuration working up to a point. 


My problem is that Tomcat accepts the client's connection, but returns 
HTTP status 401 for pages the user is supposed to be authorized to access.



I am confident the certificates and key store etc. are set up properly 
because the TLS connection works with a trusted client certificate and 
not with an untrusted one. :-)


Some relevant snippets from the configuration files:


web.xml from my web app divides the web resources into several 
collections, one of which requires no authentication at all and others 
require the user to belong to a particular role. For example:


<security-constraint>
    <web-resource-collection>
      <web-resource-name>Public Interface</web-resource-name>
           <url-pattern>/index.html</url-pattern>
            ... etc ...
     </web-resource-collection>
    <user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>


<security-constraint>
    <web-resource-collection>
      <web-resource-name>Administrator Only</web-resource-name>
           <url-pattern>/admin.html</url-pattern>
            ... etc ...
     </web-resource-collection>
 <auth-constraint>
      <role-name>administrator</role-name>
    </auth-constraint>
    <user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

The Connector is set up in server.xml as:

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               clientAuth="true"
               maxThreads="150" scheme="https" secure="true"

               keystoreFile="${catalina.home}/conf/testServer.jks" 
keystorePass="changeit"
               truststoreFile="${catalina.home}/conf/truststore.jks" 
truststorePass="changeit"

               sslProtocol="TLSv1.2" />

And finally, my Realm is a UserDatabaseRealm:
   <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase" digest="sha"/>

tomcat-users.xml looks something like this:

<tomcat-users>
 <role rolename="user" /> <!-- System administrators -->
 <role rolename="administrator" /> <!-- System administrators -->
 <user username="testClient_1" password="****redacted***" roles="user" />

 <user username="testClient_2" password="****redacted***" 
roles="administrator" />

</tomcat-users>


Again, the symptom I am seeing is that a browser with the testClient_2 
certificate installed can connect to the web app and access index.html, 
but gets an HTTP 401 error trying to access admin.html.



Does anyone have suggestions what I might be overlooking or how I could 
isolate the cause?


Thanks,

--
Andrew Gronosky


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to