Hi,
you have to set clientAuth="true"
andreas
Luis Pascual Forner schrieb:
Thanks, Bill,
I use the JIO connector.
That's my server.xml:
<?xml version="1.0" encoding="UTF-8"?>
<Server port="8006" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.core.AprLifecycleListener" />
<Listener
className="org.apache.catalina.mbeans.ServerLifecycleListener" />
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
/>
<Listener
className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/>
<GlobalNamingResources>
<Environment name="simpleValue" type="java.lang.Integer" value="30"/>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8081" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443"
acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />
<Connector acceptCount="100" clientAuth="false"
disableUploadTimeout="true" keystoreFile="/XXXXXXXXX/xxxxx.p12"
keystorePass="XXXXXX" keystoreType="PKCS12" port="8443" scheme="https"
secure="true" sslProtocol="TLS"
truststoreFile="/XXXXXXXXXXXXXXX/trustcacerts"
truststorePass="XXXXXXX" truststoreType="JKS"/>
<Connector port="8010"
enableLookups="false" redirectPort="8443"
protocol="AJP/1.3" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="com.ival.tomcat.X509Realm" debug="0" />
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Context docBase="cavi" path="/cavi" reloadable="true" />
<Context docBase="x509" path="/x509" reloadable="true"
allowLinking="true" />
</Host>
</Engine>
</Service>
</Server>
Bill Barker escribió:
"Luis Pascual Forner" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
Hi,
I need autheticate ONLY with client certificate (i.e., I don't want
to check any user's database) . I did that follow:
1. I write a "X509Realm", with a method "authenticate" that
only check the validity of each certificate in the
certification's chain (don't check if the user exists in
any database).
2. Declare this new class in
"org/apache/catalina/realm/mbeans-descriptors.xml" and
"rg/apache/catalina/mbeans/mbeans-descriptors.xml".
3. Edit "server.xml" and configure the realm.
4. Edit "web.xml" to set the auth-method to "CLIENT-CERT"
5. Put "X509Realm.class" and "mbeans-descriptors.xml" in
"server/classes", with the correct path.
6. Restart Tomcat.
Now, I can authenticate with X509 certificate, and get the
client certificate with
getAttribute("javax.servlet.request.X509Certificate"). But,
sometimes, this method returns null. Why?
Almost certainly means that the client didn't send a cert. But more
info on your setup would get a better response. For example are you
using the APR or the JIO Connector?
regards
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
