tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Butler <>
Subject CLIENT-CERT Authentication & JAASRealm bug?
Date Wed, 17 Jan 2007 16:04:13 GMT
Hi All,

I tried to config my webapp to authenticate user by CLIENT-CERT auth method.
my 1st test is using UserDatabaseRealm and add the client cert DN to
tomcat-user.xml. everything works great. However, when I tried to use
JAASRealm, it fail even my custom LoginModule always return true for
any username.

To verify my LoginModule, I tried to use "BASIC" to auth user. my
LoginModule is being called and successfully authenticate any input.

After studying Tomcat 5.5.20 source, I found that the problem is
caused by the and

In RealmBase, if CLIENT-CERT, SSLAuthenticator will call the :

    public Principal authenticate(X509Certificate certs[]);

and it will only validate the certs and then call
getPrincipal(certs[0]) to get the Principal. However, in JAASRealm, it
didn't override this function and the getPrincipal function always
return null.

That means Tomcat can't use JAASRealm with CLIENT-CERT auth method.


In server.xml :
   <Connector port="8443" maxHttpHeaderSize="8192"
              maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
              enableLookups="false" disableUploadTimeout="true"
              acceptCount="100" scheme="https" secure="true" debug="99"
              clientAuth="want" sslProtocol="TLS"

     <Realm className="org.apache.catalina.realm.JAASRealm"

in web.xml :





To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message