tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: HELP! Client Authentication in Tomcat 4.1.24
Date Thu, 24 Jul 2003 03:08:20 GMT
Bug #15790 is only if you are fronting Tomcat with Apache/IIS/SunONE.  If
you are using the stand-alone connector, it doesn't apply.  I'm guessing
that this isn't your problem, since you'd get a different error.

To use this setup, you need to be using MemoryRealm.  The default
DataSourceRealm doesn't handle CLIENT-CERT authentication.  When I'm testing
this, I usually get rid of the '<Resource name="UserDatabase" ...>', since
it has a bad habit of messing up cert subjects when it re-saves the file
:-).

With 4.1.26, if you enable TRACE logging, it will print the cert out to the
log (I use this to cut-and-paste the Subject to tomcat-users.xml).  If you
have log4j in common/lib, then add:
   log4j.logger.org.apache.tomcat.util.net.jsse=TRACE
to your log4j.properties.

"Farrell, Patrick" <PFarrell@trusecure.com> wrote in message
news:FD09D7556F7E344780385861F01AEBE24BDA27@exchange05.mscore.trusecure.net.
..
> Thanks,
>
> I had seen the bug you are referring to, but didn't think that this was my
> problem since I don't see that exception anywhere.  Is there anywhere that
I
> may look to find that exception just to ensure that this is truely my
> problem?
>
> Pat
>
> -----Original Message-----
> From: Jay Garala [mailto:JGarala@Conclusive.com]
> Sent: Wednesday, July 23, 2003 1:44 PM
> To: 'Tomcat Users List'
> Subject: RE: HELP! Client Authentication in Tomcat 4.1.24
>
>
> This is the part you were missing.  Unfortunately, the handling of Client
> certs in the Jk-Coyote connector is broken in 4.1.24 (see
> http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15790).
>
> Wait for 4.1.26 or grab alpha from CVS
>
> -----Original Message-----
> From: Farrell, Patrick [mailto:PFarrell@trusecure.com]
> Sent: Wednesday, July 23, 2003 1:02 PM
> To: 'tomcat-user@jakarta.apache.org'
> Subject: HELP! Client Authentication in Tomcat 4.1.24
>
>
> I am attempting to use client certificate authentication with Tomcat
4.1.24,
> but each time I connect via a browser (Internet Explorer) Tomcat indicates
> that it is unable to authenticate with the provided credentials.
>
> My client certificate is a personal certificate from Thawte.  The
> corresponding root certificate already exists in my truststore.
>
> Shown below is my tomcat-users.xml file.
>
> <?xml version='1.0' encoding='utf-8'?>
> <tomcat-users>
>   <role rolename="user" description="Authenticated User"/>
>   <role rolename="manager" description="Tomcat Manager"/>
>   <role rolename="admin" description="Tomcat Administrator"/>
>   <user username="administrator" password="password"
roles="admin,manager"/>
>   <user username="EMAILADDRESS=pfarrell@trusecure.com, CN=Thawte Freemail
> Member" password="null" roles="user"/>
> </tomcat-users>
>
> Must I do anything with the client certificate in order for the server to
> trust it, or does the server simply grab the DN from the certificate and
> look in the realm for a user with the corresponding DN?
>
> Does anyone have any information or links on how to configure tomcat users
> with client authentication?
>
> Pat
>
> ***********************************************************************
> This message is intended only for the use of the intended recipient and
> may contain information that is PRIVILEGED and/or CONFIDENTIAL.  If you
> are not the intended recipient, you are hereby notified that any use,
> dissemination, disclosure or copying of this communication is strictly
> prohibited.  If you have received this communication in error, please
> destroy all copies of this message and its attachments and notify us
> immediately.
> ***********************************************************************
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ***********************************************************************
> This message is intended only for the use of the intended recipient and
> may contain information that is PRIVILEGED and/or CONFIDENTIAL.  If you
> are not the intended recipient, you are hereby notified that any use,
> dissemination, disclosure or copying of this communication is strictly
> prohibited.  If you have received this communication in error, please
> destroy all copies of this message and its attachments and notify us
> immediately.
> ***********************************************************************




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message