tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 38553] New: - Wrong HTTP code for failed CLIENT-CERT authentication
Date Tue, 07 Feb 2006 15:54:17 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38553>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38553

           Summary: Wrong HTTP code for failed CLIENT-CERT authentication
           Product: Tomcat 5
           Version: 5.0.28
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connector:Coyote
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: axianx@gmail.com


server.xml:
===========
I set clientAuth to "want"

tomcat-user.xml:
================
I create a role and an user with the ssl certificate metadata

web.xml:
========
For a private URL on my webseite, I create a security constraint like this one:

 <security-constraint>
	<web-resource-collection>
	<web-resource-name>App</web-resource-name>
	    <url-pattern>/protected.jsp</url-pattern>
	</web-resource-collection>
	<auth-constraint>
	    <role-name>tomcat</role-name>
	</auth-constraint>
	<user-data-constraint>
	    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
	</user-data-constraint>
    </security-constraint>

    <login-config>
      <auth-method>CLIENT-CERT</auth-method> 
    </login-config>

    <security-role>
      <role-name>tomcat</role-name>
    </security-role>

My results: (I try to access the restricted JSP-Page)
===========
1) When there is the RIGHT client certificate in the browser keystore:
it works :-)

2) When there is the WRONG client certificate I get:

  HTTP Status 401 - Cannot authenticate with the provided credentials
  (this is ok, too)

3) When there is NO client certificate I get:

  HTTP Status 400 - No client certificate chain in this request

400 usually stands for a bad request or bad syntax. 

The Bug:
========
In case 3 I expect to get HTTP Status 401.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message