tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 38555] New: - CLIENT-CERT authentication fails with UserDatabase Realm
Date Tue, 07 Feb 2006 16:07:01 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38555>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38555

           Summary: CLIENT-CERT authentication fails with UserDatabase Realm
           Product: Tomcat 5
           Version: 5.0.28
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connector:Coyote
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: axianx@gmail.com


I have set up SSL CLIENT-CERT authentication using the MemoryRealm:

server.xml
==========
<Realm className="org.apache.catalina.realm.MemoryRealm" />
..
<Connector port="8443" maxThreads="150" minSpareThreads="25"
maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true" clientAuth="want"
sslProtocol="TLS" keystoreFile="keystore.jks" keystorePass="geheim"
truststoreFile="truststore.jks" truststorePass="wonttell"/>

tomcat-users.xml
================
<tomcat-users>
  <role rolename="myrole"/>
  ...
  <user username="EMAILADDRESS=markus..., CN=markus..., OU=CA, O=..., L=...,
ST=..., C=DE" password="" roles="myrole"/>
  ...
</tomcat-users>

web.xml
=======
<security-constraint>
  <web-resource-collection>
    <url-pattern>/secret/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>myrole</role-name>>
  </auth-constraint>
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

<login-config>
  <auth-method>CLIENT-CERT</auth-method>
</login-config>

<security-role>
  <role-name>myrole</role-name>
</security-role>

This works fine.

The Bug
=======
It does not work using the UserDatabase Realm:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
                 debug="0" resourceName="UserDatabase"/> 
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
       description="User database that can be updated and saved">
    </Resource>
    <ResourceParams name="UserDatabase">
      <parameter>
        <name>factory</name>
        <value>org.apache.catalina.users.MemoryUserDatabaseFactory</value>
      </parameter>
      <parameter>
        <name>pathname</name>
        <value>conf/tomcat-users.xml</value>
      </parameter>
    </ResourceParams>

Error Message
=============
I always get access denied for the protected URL even if I have the right SSL
client certificate in the browser keystore AND the right clientcert metadata in
the tomcat-user definition.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message