Re: Authenticate with X509 certification

Thu, 05 Jun 2008 00:22:47 -0700 

More information:

If I use Internet Explorer, in the log appears:

java.net.SocketException: Socket Closed
        at java.net.PlainSocketImpl.setOption(PlainSocketImpl.java:201)
        at java.net.Socket.setSoTimeout(Socket.java:997)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setSoTimeout(SSLSocketImpl.java:2047) at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:99) at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:67) at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:121) at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1131) 
        at org.apache.coyote.Request.action(Request.java:349)
at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:138) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) 
        at java.lang.Thread.run(Thread.java:619)


But not if I use Firefox with Linux.

Luis Pascual Forner escribió:

Thanks, Bill,
I use the JIO connector.
That's my server.xml:

<?xml version="1.0" encoding="UTF-8"?>
<Server port="8006" shutdown="SHUTDOWN">

  <Listener className="org.apache.catalina.core.AprLifecycleListener" />
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> 

  <GlobalNamingResources>

    <Environment name="simpleValue" type="java.lang.Integer" value="30"/>

    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
       description="User database that can be updated and saved"
           factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
          pathname="conf/tomcat-users.xml" />

  </GlobalNamingResources>

  <Service name="Catalina">

    <Connector port="8081" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" redirectPort="8443" acceptCount="100"
               connectionTimeout="20000" disableUploadTimeout="true" />
<Connector acceptCount="100" clientAuth="false" disableUploadTimeout="true" keystoreFile="/XXXXXXXXX/xxxxx.p12" keystorePass="XXXXXX" keystoreType="PKCS12" port="8443" scheme="https" secure="true" sslProtocol="TLS" truststoreFile="/XXXXXXXXXXXXXXX/trustcacerts" truststorePass="XXXXXXX" truststoreType="JKS"/> 

    <Connector port="8010"
enableLookups="false" redirectPort="8443" protocol="AJP/1.3" /> 

    <Engine name="Catalina" defaultHost="localhost">


      <Realm className="com.ival.tomcat.X509Realm" debug="0" />

      <Host name="localhost" appBase="webapps"
       unpackWARs="true" autoDeploy="true"
       xmlValidation="false" xmlNamespaceAware="false">

      <Context docBase="cavi" path="/cavi" reloadable="true" />
<Context docBase="x509" path="/x509" reloadable="true" allowLinking="true" /> 

      </Host>

    </Engine>

  </Service>

</Server>



Bill Barker escribió:
"Luis Pascual Forner" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] 
Hi,

  I need autheticate ONLY with client certificate (i.e., I don't want
to check any user's database) . I did that follow:

  1. I write a "X509Realm", with a method "authenticate" that
     only check the validity of each certificate in the
     certification's chain (don't check if the user exists in
     any database).
  2. Declare this new class in
     "org/apache/catalina/realm/mbeans-descriptors.xml" and
     "rg/apache/catalina/mbeans/mbeans-descriptors.xml".
  3. Edit "server.xml" and configure the realm.
  4. Edit "web.xml" to set the auth-method to "CLIENT-CERT"
  5. Put "X509Realm.class" and "mbeans-descriptors.xml" in
     "server/classes", with the correct path.
  6. Restart Tomcat.

  Now, I can authenticate with X509 certificate, and get the
client certificate with
getAttribute("javax.servlet.request.X509Certificate"). But,
sometimes, this method returns null. Why?
Almost certainly means that the client didn't send a cert. But more info on your setup would get a better response. For example are you using the APR or the JIO Connector? 


regards

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]







---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to