Graham, On Fri, Mar 13, 2015 at 4:49 PM, Graham Leggett <minf...@sharp.fm> wrote:
> On 13 Mar 2015, at 10:34 PM, Neven Cvetkovic <neven.cvetko...@gmail.com> > wrote: > > >>> What doesn’t seem to fit is the realm definition - specifying > userCredCol > >>> is marked as mandatory, but this is obviously not present with a client > >>> certificate. What do you specify in this field? > >>> > >> > > You define the password column, which could have NULL values now, since > we > > don't use passwords anymore. > > I don’t follow, do you mean I shouldn’t define the password column? > > According to my understanding - password field will be irrelevant. Since we use certificates to authenticate, not username/password combo. Thus, keep the field as is. > > Here's another interesting article that tackles the old version of > Tomcat, > > but the ideas are very similar. Here's a link: > > > http://stackoverflow.com/questions/163113/can-client-cert-auth-method-be-used-with-a-jdbc-realm-within-tomcat > > I’ve already found all of these, and have trawled through them to no > avail. It appears all the information is stale. > > Yes, indeed - most of the info on these pages is very stale. Once we resolve it, we should add a nice article about this, and add to Tomcat Wiki :))) > I am currently stuck on two specific areas: > > - None of the debug logging seems to work any more in any kind of > predictable fashion, as detailed in my other message. > >From your other log files (your last email in the other thread) - it seems your pages are not secured at all, e.g. "FINE: Not subject to any constraint" Do you have <security-constraint> defined in your web.xml? > - Turning on SQL statement logging in postgres shows that at no point is > any SQL statement executed against the database. > > Well, we are not hitting the database yet, as secured page was not hit yet - just unsecured "/" - judging from your provided log files. That's why I would first make sure the logging does work properly with the other login method (BASIC/FORM), just to make sure you can see stuff being logged. Then you can switch to new CLIENT-CERT, and troubleshoot the problem. > If I had some kind of meaningful error that accompanied the 403 it would > be a huge help. > > Is anyone able to confirm where I might place a breakpoint to step through > the tomcat code? > > I would try constructors on RealmBase, AuthenticatorBase base classes or their derived subclasses, e.g. BasicAuthenticator, SSLAuthenticator, DataSourceRealm. Try also - the authenticate() method on the DataSourceRealm ... that's probably going to be called at some point :)) Hope that helps! Cheers! Neven
