tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hendryx-Parker, Calvin" <Cal...@Epylon.com>
Subject RE: CLIENT-CERT and JDBCRealm
Date Sun, 25 Aug 2002 19:04:10 GMT
>Yes ... the principal name from the first certificate in the chain must
>be a username in your Realm for client-cert authentication to work.

Here is the code I used to check that I am getting the right DN:
(snip...)
        X509Certificate[] certChain =
 
(X509Certificate[])request.getAttribute("javax.servlet.request.X509Certifica
te");
        X509Certificate cert = (X509Certificate)certChain[0];
        Principal p = cert.getSubjectDN();
(snip...)
        out.println("Name of Prinicipal: " + p.getName());
(snip...)

This outputs the following:

Name of Prinicipal: CN=Calvin Hendyrx-Parker, OU=Engineering, O=Epylon,
L=San Francisco, ST=California, C=US

Here is what I have in my Oracle table:
USER_NAME
----------------------------------------------------------------------------
----
CN=Calvin Hendyrx-Parker, OU=Engineering, O=Epylon, L=San Francisco,
ST=Californ
ia, C=US

PASSWORD
--------------------------------------------------
test

then I have this in my roles table:

USER_NAME
----------------------------------------------------------------------------
----
CN=Calvin Hendyrx-Parker, OU=Engineering, O=Epylon, L=San Francisco,
ST=Californ
ia, C=US

ROLE_NAME
--------------------------------------------------
testing

I Have the security constraint set for the role testing in my web.xml file.
In the logs I am getting this which make me think I am close:

2002-08-25 11:55:05 JDBCRealm[Standalone]: Authenticating client certificate
chain
2002-08-25 11:55:05 JDBCRealm[Standalone]:  Checking validity for 'CN=Calvin
Hendyrx-Parker, OU=Engineering, O=Epylon, L=San Francisco, ST=California,
C=US'
2002-08-25 11:55:05 JDBCRealm[Standalone]:  Checking validity for
'EMAILADDRESS=calvin@epylon.com, CN=EpylonCA, OU=Engineering, O=Epylon,
L=San Francisco, ST=California, C=US'

But I still get a 401 error and it doesn't give me the message that that
primary is in a certain role.  What am I still missing?

Thanks,
Calvin


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message